To hack. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reports on the darkest part of the Internet.
In 2015, unknown hackers sneaked malware into thousands of apps in the iPhone app store. At that time, the researchers believed the hack had the potential to impact hundreds of millions of people, as it affected around 4,000 apps, according to researchers’ estimates.
This made it perhaps the largest hack against iPhones in terms of affected users. But for years, the public was unaware of the full scale of the attack. Some even thought the real impact of the hack—known as XCodeGhostthe name of the malware used would never be revealed.
But now, thanks to emails released as part of Apple’s lawsuit against Epic Games, we finally know how many iPhone users were affected: 128 million in total, of which 18 million were in the US.
“In total, 128 million customers have downloaded the more than 2,500 apps that were affected by LTD. Those customers generated 203 million downloads of the more than 2,500 apps affected by LTD,” wrote Dale Bagwell, who was experience manager for the Apple’s iTunes client at the time, in one of the emails.
Another Apple employee wrote in the emails that “China accounts for 55% of customers and 66% of downloads. As you can see, a significant number (18 million customers) are affected in the US.” .
The emails also show that Apple was struggling to discover the impact of the attack and working to notify victims.
“Due to the large number of potentially affected customers, do we want to email everyone?” Matt Fischer, Apple’s vice president for the App Store, wrote. “Note that this will pose some challenges in terms of email language localization, as downloads of these apps were made from a wide variety of App Store storefronts around the world.”
Bagwell agreed that reaching all the victims would be a challenge.
“I just want to set the expectations right here. We have a bulk request tool that will allow us to send the emails, however we are still testing to make sure we can accurately include the names of the apps for each client. There have been issues with this specific functionality in the past,” he wrote. “Also, I want to make it clear that the tool is very limited in the number of emails it can handle. With such a large batch (128 million), we would probably have to spend up to a week sending these messages, so after locating emails (which will take several days), we will need at least a week to send, if we are using the bulk request tool”.
These days, it is very common for companies to contact users directly about data breaches and it is considered good practice. All US states have legislation that requires companies to notify victims.
Apple never revealed the exact number of victims, but it did say at that time let them know. The company told Motherboard on Friday that it kept users informed, but did not specifically say that they notified all victims.
“We are working closely with developers to get affected apps back on the App Store as quickly as possible for customers to enjoy,” Apple said. in your FAQ about the incident 2015, which is no longer online.
While the absolute numbers in this hack are very high, the actual malware was relatively not as sophisticated or dangerous.
“We have no information to suggest that the malware was used to do anything malicious or that this exploit would have delivered personally identifiable information if used,” Apple wrote on the FAQ site.
Do you investigate vulnerabilities in Apple products? Do you know of any attacks on iPhones? We would love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
The hackers inserted the malicious code into a doctored version of Xcode, Apple’s application development software, allowing them to insert the malicious code into thousands of applications.
“The creators of XcodeGhost repackaged the Xcode installers with the malicious code and posted links to the installer on many popular iOS/OS X developer forums,” security firm Lookout said. reported at the time. “Developers were enticed to download this doctored version of Xcode because it would download much faster in China than the official version of Xcode from Apple’s Mac App Store.”
Apple has always had a good reputation in terms of security. But the company has been reluctant to speak openly and publicly about specific security incidents. Therefore, these emails, which were only released due to discovery in the Epic v. Apple Fortnite, are an interesting peek behind the curtain showing the further extent of the damage from this hack, as well as details on how the company handled the hack’s fallout. in real time.
The malware was designed to steal victims’ personal information, such as the name of the infected app, the app’s bundle identifier, device names and type, network information, and the device’s “vendor identifier.” , according to Lookout.
At the time, Apple said on the FAQ site that “we are not aware of any customer personally identifiable data being affected and the code also did not have the ability to request customer credentials to obtain iCloud and other passwords.” service”, and that “malicious code could only have been able to deliver general information, such as applications and general system information”.
Apple also revealed the apps that included the malicious code, some incredibly popular like WeChat and the Chinese version of Angry Birds 2.
Additional reporting by Joseph Cox.
Subscribe to our CYBER cybersecurity podcast, here.