128M iOS users were affected by 2015 XcodeGhost malware
A total of 128 million iOS users downloaded apps that were affected by the XcodeGhost malware in 2015, according to emails revealed during the Epic Games v. Apple trial.

Credit: AppleInsider
The XcodeGhost malware was parsed into otherwise legitimate applications to mine user data in a coordinated campaign in 2015. Although the malware was quickly stopped, details about the full impact of the attack remained murky.
However, emails published as part of the Epic v. Apple trial have finally given us a clearer picture at the scope of the hack. In total, 128 million users downloaded the more than 2,500 tainted applications. About 18 million of those users were in the U.S., according to Vice, which first spotted the emails.
In addition to revealing the magnitude of the hack, the emails also detail how Apple scrambled to work out how serious it was and notify victims.
"Due to the large number of customers potentially affected, do we want to send an email to all of them?" said Matt Fischer, vice president of the App Store. "Note that this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world."
Dale Bagwell, Apple's iTunes customer experience manager at the time, agreed that a mass notification would be challenging.
"Just want to set expectations correctly here. We have a mass-request tool that will allow us to send the emails, however we are still testing to make sure that we can accurately include the names of the apps for each customer," Bagwell wrote.
Bagwell also brought up some of the limitations of the tool, including the fact that sending a mass batch of emails to 128 million people could take up to a week.
Although the malware was widespread on the App Store, it wasn't particularly sophisticated or dangerous. At the time, Apple said it didn't have any information to suggest it was used to do anything malicious or harvest personally identifiable information.
The incident led Apple to acquire SourceDNA, a startup specializing in malware detection.

Credit: AppleInsider
The XcodeGhost malware was parsed into otherwise legitimate applications to mine user data in a coordinated campaign in 2015. Although the malware was quickly stopped, details about the full impact of the attack remained murky.
However, emails published as part of the Epic v. Apple trial have finally given us a clearer picture at the scope of the hack. In total, 128 million users downloaded the more than 2,500 tainted applications. About 18 million of those users were in the U.S., according to Vice, which first spotted the emails.
In addition to revealing the magnitude of the hack, the emails also detail how Apple scrambled to work out how serious it was and notify victims.
"Due to the large number of customers potentially affected, do we want to send an email to all of them?" said Matt Fischer, vice president of the App Store. "Note that this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world."
Dale Bagwell, Apple's iTunes customer experience manager at the time, agreed that a mass notification would be challenging.
"Just want to set expectations correctly here. We have a mass-request tool that will allow us to send the emails, however we are still testing to make sure that we can accurately include the names of the apps for each customer," Bagwell wrote.
Bagwell also brought up some of the limitations of the tool, including the fact that sending a mass batch of emails to 128 million people could take up to a week.
Although the malware was widespread on the App Store, it wasn't particularly sophisticated or dangerous. At the time, Apple said it didn't have any information to suggest it was used to do anything malicious or harvest personally identifiable information.
The incident led Apple to acquire SourceDNA, a startup specializing in malware detection.
Comments
So what’s the big deal?
It’s like we don’t already have a preview of this with Cydia on jail-broken iPhones: Malware packaged with all manner of titles, especially free games which lures in naive users and kids.
Also keep in mind that the smartphone platforms are constantly the target from blackhats to intelligence agencies: the idea of opening the gates to 3rd party stores out of Apple’s control is plainly stupid.
Personally, I'm thankful that this malware—and this is malware—wasn't particularly dangerous to users so that iOS and the App Store could be hardened so that more nefarious uses of this malware could be stopped before it was created.
Um, the big deal is that a path to insert much more dangerous malware was discovered. Man am I ever glad some people will never work for Apple.
A court ordered opening of the App Store to multiple vendors (or simply allowing phones to download apps from anywhere) destroys a significant aspect of the iOS ecosystem, which is that one company owns making sure it is properly moderated and that moderation failures can be remediated quickly.
It is true that MacOS allows users to run anything, and that Apple has a means to certify Mac apps that are distributed outside of the Mac App Store, but the scale of Mac applications is tiny in comparison to what iOS has to deal with and Apple's analysis of certified apps is relatively minimal. Every time I download an app from somewhere on a Mac, I kind of need to do enough google searching to make sure I am downloading a trustworthy app from a trustworthy source.
But, Apple does need to change its App stores. It needs to rid the App Store of copycat apps, it needs to allow third-party app stores which curate items on the App Stores with some revenue sharing. It actually needs to reduce its fees from 30% to 25% and for higher-volume apps down to 15% or 10%.
The App Store is annoyingly anti-competitive and the App Store itself suffers from not being pushed by genuine competition. It just isn't clear how competition can be introduced while keeping it safe. Epic just seems to be trying to blow it up, converting it into the Wild West of 1990s Windows. That wouldn't end well.