Court Documents: Apple Didn’t Disclose Hack Compromising 128 Million iPhones

The Apple vs Epic court case has unveiled some unexpected information. This includes a hack that compromised 128 million iPhones.

The Apple vs. Epic court case seemed to promise to tackle the question whether or not Apple is or is not a monopoly. While it seemed to be just about Epic challenging the fees, it seems the court case unveiled even more dirty laundry than expected.

Apparently, in 2015, an app known as XcodeGhost was added into the Apple app store. The malware laden app was then downloaded and used for a pile of different apps. Eventually, the number of infected apps soared into the thousands. Ultimately, it compromised an estimated 128 million iPhones of users who downloaded and used the apps developed with the malicious app.

Apple, for its part, became aware of the malware floating around in the app store. In response, they chose not to say anything. From Arstechnica:

The mass hack first came to light when researchers uncovered 40 malicious App Store apps, a number that mushroomed to 4,000 as more researchers poked around. The apps contained code that made iPhones and iPads part of a botnet that stole potentially sensitive user information.

About 10 hours later, Bagwell discusses the logistics of notifying all 128 million affected users, localizing notifications to each users’ language, and “accurately includ[ing] the names of the apps for each customer.”

Alas, all appearances are that Apple never followed through on its plans. An Apple representative could point to no evidence that such an email was ever sent. Statements the representative sent on background—meaning I’m not permitted to quote them—noted that Apple instead published only this now-deleted post.

The post provides very general information about the malicious app campaign and eventually lists only the top 25 most downloaded apps. “If users have one of these apps, they should update the affected app which will fix the issue on the user’s device,” the post stated. “If the app is available on [the] App Store, it has been updated, if it isn’t available it should be updated very soon.”

The incident shattered two big myths surrounding technology. The first is that Apple devices are less prone to malware because malware developers focus on Microsoft devices. This hasn’t been all that true in a long time, but it is a nice reminder that Apple does suffer from malware. To further destroy this myth, even the veil of Apple’s walled garden isn’t enough to protect users from malware.

The other myth this incident shatters is the myth that if you get malware, chances are, you got it because you browse random sites or use pirated content. The idea is that legitimate customers of various apps will never have to worry about malware and that such malware is only generally found off of content that has been pirated. While this myth has also been untrue for some time, this latest revelation offers another example that users can get hit with malware as well.

What’s worse is the fact that Apple chose not to be forthcoming with this whole incident. Since this incident predates GDPR regulation, GDPR won’t necessarily apply here. Still, it does offer another example of how companies are known to choose not to say anything about a security incident that hit their users. That is why it is critical that countries put into law that there are repercussions for companies who choose not to disclose a security incident. Europe did so and other countries should follow Europe’s example here.

At any rate, the number of compromised devices is certainly terrifying. Hopefully, something is done to ensure that, for one, an exploit like this doesn’t happen again (tall order), and for another, Apple learns that they need to disclose to users when something gets compromised.

Drew Wilson on Twitter: @icecube85 and Facebook.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: