In 2015, unknown hackers snuck malware onto thousands of apps on the iPhone App Store. At the time, researchers believed the hack had the potential to impact hundreds of millions of people, given that it affected around 4,000 apps, according to researcher estimates.
This made it perhaps the largest hack against iPhones ever in terms of affected users. But for years, the full scale of the hack was unknown to the public. Some even thought the real impact of the hack—known as XCodeGhost, the name of the malware used—would never be revealed.
But now, thanks to emails published as part of Apple's trial against Epic Games, we finally know how many iPhone users were impacted: 128 million in total, of which 18 million were in the US.
"In total, 128M customers have downloaded the 2500+ apps that were affected LTD. Those customers drove 203M downloads of the 2500+ affected apps LTD," Dale Bagwell, who was Apple's manager of iTunes customer experience at the time, wrote in one of the emails.
Another Apple employee wrote in the emails that "China represents 55% of customers and 66% of downloads. As you can see, a significant number (18M customers) are affected in the US."
The emails also show that Apple was scrambling to figure out the impact of the hack, and working on notifying the victims.
"Due to the large number of customers potentially affected, do we want to send an email to all of them?" Matt Fischer, Apple's vice president for the App Store, wrote. "Note that this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world."
Bagwell agreed that reaching out to all victims would be a challenge.
"Just want to set expectations correctly here. We have a mass-request tool that will allow us to send the emails, however we are still testing to make sure that we can accurately include the names of the apps for each customer. There have been issues with this specific functionality in the past," he wrote. "Also - I want to be clear that the tool is very limited in the number of emails it can handle. With a batch this big (128M) we would likely have to spend up to a week sending these messages, so after localizing the emails (which will take several days) we'll need at least a week for the send - if we are using the mass-request tool."
These days, it's very common for companies to reach out directly to users about data breaches, and is considered best practice. All states in the US have legislation that requires companies to notify victims.
Apple never disclosed the exact number of victims, but it did say at the time that it would notify them. The company told Motherboard Friday that it kept users informed, but did not specifically say they notified every single victim.
"We’re working closely with developers to get impacted apps back on the App Store as quickly as possible for customers to enjoy," Apple said in its FAQ about the incident from 2015, which is not online anymore.
While the sheer numbers in this hack are very high, the actual malware was, relatively not that sophisticated nor dangerous.
"We have no information to suggest that the malware has been used to do anything malicious or that this exploit would have delivered any personally identifiable information had it been used," Apple wrote in the FAQ site.
Do you research vulnerabilities on Apple's products? Do you know of any attacks on iPhones? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
The hackers inserted the malicious code into a tampered version of Xcode, Apple's app development software, which allowed them to snuck the malicious code into thousands of apps.
"XcodeGhost’s creators repackaged Xcode installers with the malicious code and published links to the installer on many popular forums for iOS/OS X developers," security firm Lookout reported at the time. "Developers were enticed into downloading this tampered version of Xcode because it would download much faster in China than the official version of Xcode from Apple’s Mac App Store."
Apple has always had a good reputation in terms of security. But the company has been reluctant to speak publicly and candidly about specific security incidents. So these emails, which were only released because of discovery in the Epic v. Apple Fortnite trial, are an interesting peek behind the curtain that show a fuller extent of the damage from this hack as well as specifics about how the company handled the hack's fallout in real time.
The malware was designed to steal some personal information from victims, such as the name of the infected app, the App bundle identifier, the device's names and type, network information and the Device’s “identifierForVendor,” according to Lookout.
At the time Apple said in the FAQ site that "we’re not aware of personally identifiable customer data being impacted and the code also did not have the ability to request customer credentials to gain iCloud and other service passwords," and that "malicious code could only have been able to deliver some general information such as the apps and general system information."
Apple also disclosed the apps that included the malicious code, some incredibly popular such as WeChat and the Chinese version of Angry Birds 2.
Additional reporting by Joseph Cox.
Subscribe to our cybersecurity podcast CYBER, here.