‘Apple chose not to inform users with Xcode infection via email’
Apple considered notifying all users affected by the Xcode malware in 2015 but appears to have failed to do so in the end. That Apple considered it, according to court documents in the Epic vs Apple case.
The court documents are emails between various Apple employees. In that conversation, it is considered to notify all Xcode victims, a total of 128 million users worldwide, via email. This was not done immediately because the message would have to be written in many different languages, because the system to automatically list which apps are affected per user, did not work smoothly, and because 128 million emails would take about a week to send.
Image: Apple v. Epic lawsuit via Ars Technica
An Ars Technica Apple source says they could find no evidence that those emails ever went out. The affected users were therefore probably never contacted directly, while they could have been.
Only a now-deleted post has been posted on the Apple website. It is in English and Chinese; many of the affected apps were popular in China. The iPhone maker has only named the 25 most popular affected apps, because “after number 25, the apps become significantly less popular.” Despite that, the consensus among security companies is that the number of infected apps is in the ‘four digits’. Users had to update or uninstall the apps themselves.
The Xcode malware was hidden in a rogue version of the Xcode ide. It was available from Baidu’s download service. Many Chinese developers did this because the download would be much faster there than from Apple’s servers. They ignored warnings about a lack of digital signatures. The rogue development software smuggled rogue code into the apps being worked on.
Those apps, for things like instant messaging, internet banking, stock trading, navigation and gaming, intercepted system information such as the language setting, name and uuid of iPhones and iPads and the network type. The data was sent through the criminals’ command-and-control servers. The attackers were then able to send notifications to smartphones and tablets to steal user data, hijack URLs and read users’ clipboards. At the time, Apple said it has “no information to suggest that the malware was used to do anything malicious.”