Apple Inc said on Sunday it is cleaning up its iOS App Store to remove malicious iPhone andiPad programs identified in the first large-scale attack on the popular mobile software outlet.
The company disclosed the effort after several cyber security firms reported finding a maliciousprogram dubbed XcodeGhost that was embedded in hundreds of legitimate apps.
It is the first reported case of large numbers of malicious software programs making their waypast Apple's stringent app review process. Prior to this attack, a total of just five malicious appshad ever been found in the App Store, according to cyber security firm Palo Alto Networks Inc.
The hackers embedded the malicious code in these apps by convincing developers of legitimatesoftware to use a tainted, counterfeit version of Apple's software for creating iOS and Mac apps,which is known as Xcode, Apple said.
"We've removed the apps from the App Store that we know have been created with thiscounterfeit software," Apple spokeswoman Christine Monaghan said in an email. "We areworking with the developers to make sure they're using the proper version of Xcode to rebuildtheir apps."
She did not say what steps iPhone and iPad users could take to determine whether their deviceswere infected.
Palo Alto Networks Director of Threat Intelligence Ryan Olson said the malware had limitedfunctionality and his firm had uncovered no examples of data theft or other harm as a result of theattack.
Still, he said it was "a pretty big deal" because it showed that the App Store could becompromised if hackers infected machines of software developers writing legitimate apps. Otherattackers may copy that approach, which is hard to defend against, he said.
"Developers are now a huge target," he said.
Researchers said infected apps included Tencent Holdings Ltd's popular mobile chat appWeChat, car-hailing app Didi Kuaidi and a music app from Internet portal NetEase Inc.
The tainted version of Xcode was downloaded from a server in China that developers may haveused because it allowed for faster downloads than using Apple's US servers, Olson said.
Chinese security firm Qihoo360 Technology Co said on its blog that it had uncovered 344 appstainted with XcodeGhost.
Apple declined to say how many apps it had uncovered.