In 2015, a modified copy of Xcode that surfaced on the web was responsible for injecting malware into a number of iPhone and iPad apps that were then uploaded to the App Store. At the time, the extent of the damage this malware caused was unknown. However, according to emails brought forth during the Epic Games v. Apple trial, it was revealed that a total of 128 million iOS users downloaded apps that were affected by the XcodeGhost malware.
128 million iOS users were affected by ‘XcodeGhost’ malware attack in 2015
At the time, more than 2,500 iOS apps were infected by XcodeGhost including major apps like WeChat, NetEase, and more with up to 500 million iOS users potentially impacted. Though the malware was dealt with swiftly, Apple did not offer additional details regarding the attack. However, emails brought forth in the Epic v. Apple trial revealed that a total of 128 million users downloaded the applications. About 18 million of those users were in the United States.
In addition to revealing the size of the hack caused by XcodeGhost, the emails also detail how the Cupertino tech giant worked to determine the impact of the attack and how to best notify users who downloaded infected apps.
“Due to the large number of customers potentially affected, do we want to send an email to all of them?” said Matt Fischer, vice president of the App Store. “Note that this will pose some challenges in terms of language localizations of the email since the downloads of these apps took place in a wide variety of App Store storefronts around the world.”
Apple’s iTunes customer experience manager at the time, Dale Bagwell, agreed that a mass notification would be challenging. Bagwell also highlighted some of the limitations of the mass-request tool, including the fact that sending a huge batch of emails to 128 million people could take up to a week.
“Just want to set expectations correctly here. We have a mass-request tool that will allow us to send the emails, however, we are still testing to make sure that we can accurately include the names of the apps for each customer,” Bagwell wrote.