What Was XcodeGhost? Inside the 2015 iOS Supply‑Chain Attack and Its Aftermath

This article compiles a timeline of the XcodeGhost incident based on information from platforms such as "Programmer's Some Things" and public sources.

2015‑09‑14 (pre‑event)

National Internet Emergency Center issues warning

Tencent Security Response Center reported discovering an app that sent encrypted traffic to a suspicious domain during launch and exit, prompting a rapid analysis that reconstructed the infection method, virus behavior, and impact. The product team released a new version and reported the issue to CNCERT, which took immediate measures.

2015‑09‑14

Most developers only learned of the warning on September 18.

2015‑09‑16

Tencent Security announced that 76 of the top 5,000 apps on the App Store were infected and informed Apple and the affected vendors.

2015‑09‑17

XcodeGhost gains attention online.

Although XcodeGhost’s malicious behavior is not extremely severe, it represents the first iOS‑specific virus propagation method and may foreshadow more serious attacks. The technique recalls Ken Thompson’s "Reflections on Trusting Trust" where a compromised compiler can silently insert backdoors. The attacker, known as "coderfun", lured developers to download tampered Xcode versions (6.1‑6.4) from various forums and file‑sharing sites.

Foreign security firm Palo Alto releases analysis report

(Update: time‑zone differences were later corrected; Palo Alto’s analysis appeared after the domestic reports.)

2015‑09‑18 – First batch of infected apps disclosed

Weibo user @图拉鼎 listed the following compromised apps:

NetEase Cloud Music

Didi Chuxing

12306

China Unicom Mobile Service Hall

Gaode Map

KuaiShou (开眼)

NetEase Open Course

Cookpad (下厨房)

51Card Safe (financial app)

Tonghuashun

CITIC Bank Mobile Space

NetEase Cloud Music later issued an announcement (see image).

19:17 – Analysis of XcodeGhost’s actual usage

After a user installs an infected app, the malware sends user data to a server, which may return simulated pop‑ups prompting payment, directing to a malicious installer, or other actions. The malware can also invoke private APIs for further attacks and includes in‑app purchase abuse. Users who see unexpected Apple ID or password prompts should change their credentials immediately.

21:02 – Second list of infected apps (image)

21:43 – Tencent WeChat team statement

The issue only affects iOS 6.2.5; the latest WeChat version has resolved it, and users can upgrade without impact.

2015‑09‑19 – Author of XcodeGhost claims it was an experiment

Developer discussion and recommendations

Apple’s strict review process was bypassed because the malicious code used only public APIs, making it indistinguishable from legitimate analytics code. After infection, the malware can collect system version, app name, device ID, language, and other non‑sensitive data, then send it encrypted to remote servers. Potential payloads include phishing dialogs, fake App Store pages, forced updates via unofficial channels, and promotion of other apps. Developers should delete any Xcode obtained from untrusted sources, rebuild apps with official Xcode, and consider using a dedicated, managed build server for releases. Security researchers note that similar supply‑chain attacks could reappear, and DNS poisoning or rogue Wi‑Fi could be used to control malicious domains.

Overall, the XcodeGhost incident highlighted a vulnerability in the iOS app supply chain, the importance of obtaining development tools from trusted sources, and the need for rigorous build‑server security.