Last week, Wired revealed that a number of Apple (AAPL) apps containing malicious code had been downloaded from the App Store by Chinese users. At the time of the Wired article, it was believed that the number of infected apps was less than two dozen.
On Sunday, however, the Wall Street Journal reported that cybersecurity firm Palo Alto Networks (PANW) discovered more than three dozen infected apps, and on Monday morning Reuters reported that Chinese security firm Qihoo360 (QIHU) announced the discovery of more than 300 compromised apps.
For now, it would seem that the actual number of apps infected in the App Store hack remains a mystery, as AAPL officials have refused to reveal how many were discovered during an internal examination.
Researchers at Alibaba (BABA) revealed, however, that several popular apps from reputable developers were among those that contained the malicious code, including Tencent Holdings’ (TCEHY) WeChat and the Cloud Music app from NetEase (NTES).
What is known, though, is the manner in which the App Store hack occurred: The malicious code was embedded into a counterfeit version of Xcode, the software used by developers to create apps for iOS. The existence of malware in the App Store is notable, and “prior to this attack, only five malicious apps had ever been found in the App Store.”
Uncovering a Larger Threat
The App Store hack highlights a very real threat to mobile security — inept developers likely to be tricked into using infected or counterfeit software to create otherwise legitimate iOS apps. Developers who obtained the Xcode program from unverified sources are at risk of creating compromised apps.
While the existence of malware is nothing new, even in the mobile device arena, the generally accepted principle has been that apps downloaded directly from the App Store could be trusted to be free of malware or other malicious code.
Last week’s discovery of XcodeGhost, the name given by Alibaba security experts to the malicious code, serves as a stark reminder that hackers are everywhere, and they are adept at devising cunning new ways to gain access to private information.
So while Apple may have removed the compromised apps — or as many as were discovered, anyway — there’s nothing management can do to ensure iOS apps are developed in a properly secured environment using only legitimately obtained software. AAPL can, however, implement procedures to examine new apps for malicious exploits, such as XcodeGhost, prior to making them available on the App Store.
Is AAPL Stock at Risk?
Because the malware was detected at a realtively early stage, and because the infected apps were reportedly limited to the Chinese App Store, iPhone and iPad users outside China have no reason for concern. Even though AAPL stock has benefitted from significant growth from Chinese consumers, there’s no indication that share prices will dip in the wake of the App Store hack.
Shares of AAPL stock are down nearly 10% over the past six months, but looking longer-term they’re up rather significantly — AAPL is up 13% over the past year and 190% over the past five years. Investors clearly aren’t concerned about the discovery of the XcodeGhost malware, and Apple’s reputation for protecting consumers surely contributed to the lack of panic selling.
These days, nobody gasps in shock at news of another security breach, and nobody panics when another group of hackers is discovered. That is, unless the hacking was being done by our own government, in which case chaos ensues.
Interestingly, the XcodeGhost malware exploit process is identical to methods described in leaked CIA documents, which detailed the agency’s ongoing efforts to circumvent Apple security by creating a modified version of Xcode. But, so far no one has accused the U.S. government of being behind the App Store hack, at least not yet.
In a telephone interview with Wired, one of Uber’s cybersecurity specialists — who made headlines a few years ago by publicizing weaknesses in the App Store — gave perhaps the simplest solution to the problem of using compromised Xcode development software. He said, “The moral of the story is: don’t download random crap from Chinese sites.”
He may be on to something.
As of this writing, Greg Gambone did not hold a position in any of the aforementioned securities.