PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Mobile Threat Monday: XcodeGhost in the Shell

Jordan Minor
 & Jordan Minor Principal Writer, Software

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

You may have noticed that Mobile Threat Monday, a series ostensibly about malware on all mobile platforms, tends to focus almost exclusively on Android afflictions. The fact is Apple's strict content restrictions do keep iPhones and iPads more secure than the competition. So the recent reveal from Palo Alto Networks that about 40 apps on the App Store were secretly laden with malware came as a shock.

But while there are steps users can take to combat malware on Android devices, fighting this rare iOS exploit is mostly up to the developers.

XcodeGhost Riding the Whip

The infected iOS apps, from Chinese instant messaging services to international business card scanners, were all compiled with XcodeGhost. Xcode is the suite of software tools Apple provides developers for creating legitimate apps. XcodeGhost is a malicious, duplicate version of those same tools that will lace the apps it creates with commands to harvest data from the host device and transmit that potentially sensitive information to a remote server.

After learning more about the infected apps, like CamCard, Tencent's WeChat, NetEase music app, and Didi Kuaidi's Uber-like car-hailing service, what was most discouraging was that many of them were otherwise on the level. They were real apps made by trustworthy developers who unwittingly unleashed this malware onto millions of customers for potentially as long as six months.

But why would a developer use XcodeGhost when they could just get the real thing from Apple? After all, even if you didn't know XcodeGhost was malicious, using counterfeit software is still pretty shady. Well, according to Palo Alto, in some parts of the world downloading these cracked versions of Apple's tools is a lot faster and more feasible than using the official channels. And hackers prey on vulnerable developers, too, not just users.

Recommended by Our Editors

Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Craigslist Founder Teams Up With a Muppet to Persuade People to Stop Clicking on Scams
Craigslist Founder Teams Up With a Muppet to Persuade People to Stop Clicking on Scams

The Developer's Burden

Mobile security experts are calling XcodeGhost the largest App Store breach in history. Although Apple has removed many of the dangerous apps, there could still be more out there on the iOS App Store and Mac OS X App Store, too. XcodeGhost is the first iOS/OS X compiler malware, and overall the sixth malware that has snuck onto the App Store after LBTM, InstaStock, FindAndCall, Jekyll, and FakeTor.

What makes iOS malware so dangerous is that if it manages to successfully infiltrate the ironclad App Store, it's very difficult to detect after the fact. Also, because Apple's security features make iOS anti-malware software basically impossible, there's really not much users can do either.

Instead, it's the developers' responsibility to keep customers safe. You could argue that Apple's stringent, lengthy, and costly review policies could've caused developers to use XcodeGhost out of frustration. But those same policies are also what make iOS malware like XcodeGhost so incredibly rare. So developers should play ball, and not use malicious tools, so consumers don't suffer. With brand new iPhones and iPads almost here, Apple fans are gearing up for their annual holiday. Here's hoping it doesn't get ruined by malware. 

About Our Expert

Jordan Minor

Jordan Minor

Principal Writer, Software

My PCMag career began in 2013 as an intern. Now, I'm a senior writer, using the skills I acquired at Northwestern University to write about dating apps, meal kits, programming software, website builders, video streaming services, and video games. I was previously a senior editor at Geek.com and have written for The A.V. Club, Kotaku, and Paste Magazine. I'm the author of the gaming history book Video Game of the Year: A Year-by-Year Guide to the Best, Boldest, and Most Bizarre Games from Every Year Since 1977, and the reason everything you know about Street Sharks is a lie.

The Technology I Use

I use the newest Android and iOS smartphones for testing, but I currently use an iPhone 14 as my personal phone. I just hate that we gave up headphone jacks.

I've always favored gaming laptops over desktops. On that note, I have a 16-inch HP Envy with an Intel Core i9-13900H CPU and Nvidia GeForce RTX 4060 GPU. No matter what machine I’m working on, an alarming amount of my personal and professional life revolves around cloud-synced Google Drive files.

For food subscriptions, my household sticks with CookUnity and HelloFresh for meals. Video streaming is a bit more complicated. While there are too many services to list, we're subscribed to most of the major ones. These days, I find myself drawn to HBO Max's movies and shows, as well as Peacock's reality trash.

I've been a lifelong Nintendo fan, and I sincerely believe the Nintendo Switch will go down as one of the best gaming consoles of all time. It has an unbelievable library of new and old games from Nintendo and third-party companies. The handheld/console hybrid approach makes playing games so much more flexible, a legacy that continues with the Nintendo Switch 2 and Valve’s Steam Deck.

Read the latest from Jordan Minor

Read full bio