Skip to main content

Security firm publishes list of some of the iOS apps infected by XcodeGhost – including Angry Birds 2 [Update: more apps]


Update 1: The list of apps has now been updated with apps identified by Dutch security company Fox-IT. The company is reporting seeing malware traffic from the apps in Europe.

Update 2: Rovio has advised that only the version of Angry Birds 2 in the Chinese App Store was affected.

I wish to clarify that Rovio can confirm that only the Chinese build of Angry Birds 2 — available only on the App Store in Mainland China, Taiwan, Hong Kong and Macau — is vulnerable to the security issue. All other builds of Angry Birds 2 available in other countries are completely safe and secure. An update of Angry Birds 2 for customers in Mainland China, Taiwan, Hong Kong and Macau that fixes the issue is coming very shortly.

After yesterday’s revelation that hundreds of iOS apps on the App Store had been infected by malware, security company Palo Alto Networks has posted a list of some of the affected apps – which include Angry Birds 2.

The apps were infected by a fake copy of Xcode dubbed XcodeGhost, unwittingly downloaded by Chinese developers in place of the real thing. It’s believed they downloaded the fake from local servers because it took too long to download the original from Apple’s own servers. It’s not yet known why Apple’s own checks did not detect the malware when apps were submitted to the App Store.

It’s been suggested that over 300 apps are infected, with 31 of them so far identified (list below) … 

  • Angry Birds 2
  • CamCard
  • CamScanner
  • Card Safe
  • China Unicom Mobile Office
  • CITIC Bank move card space
  • Didi Chuxing developed by Uber’s biggest rival in China Didi Kuaidi
  • Eyes Wide
  • Flush
  • Freedom Battle
  • High German map
  • Himalayan
  • Hot stock market
  • I called MT
  • I called MT 2
  • IFlyTek input
  • Jane book
  • Lazy weekend
  • Lifesmart
  • Mara Mara
  • Marital bed
  • Medicine to force
  • Micro Channel
  • Microblogging camera
  • NetEase
  • OPlayer
  • Pocket billing
  • Poor tour
  • Quick asked the doctor
  • Railway 12306 the only official app used for buying train tickets in China
  • SegmentFault
  • Stocks open class
  • Telephone attribution assistant
  • The driver drops
  • The Kitchen
  • Three new board
  • Watercress reading
  • WeChat

Although it’s unclear whether U.S. and European app stores have been affected, the safest course if you have any of the apps installed is to delete them and then download again from the App Store as and when available. Apple says that it has removed all the infected versions and is working with developers to get clean versions uploaded in their place.

Interestingly, a Snowden leak from the CIA’s internal wiki system suggested that the agency had considered using a modified version of Xcode as an attack vector.

Via Business Insider

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel


  1. Tinny - 8 years ago

    Angry Birds is still available

    • Waldi Ratamair - 8 years ago

      wechat to

      • cc (@ccinuse) - 8 years ago

        Because everyone, include the developer who downloaded the compromised Xcode, believed that the DMG file have some CheckSum method to insure the Apps are singed — There is GateKeeper in OS X, which designed to protect them from unsigned binary.
        And Apple did not provided the MD5 or SHA1 result when you download Xcode 7 beta from developer web page.
        The HTTP link of the downloading is not secure. They should use HTTPS instead. Or the company could be targeted MITM.

        The most important reason is they assumed the OS X platform is secure and that all software are basically not injected with malware.
        They should be more careful in the first place.

    • iSRS - 8 years ago

      Yeah, last update was 9/14 – Listed as an Editor’s Choice

      Wondering why Apple didn’t pull it down. If it disappears today, we will know it is bad, if not, I wonder if it is fine.

    • scottwilkins - 8 years ago

      The app has already been fixed. The available version is not affected.

  2. PhilBoogie - 8 years ago

    I downloaded AB2 on July 30 – was the hacked Xcode already out back then?

  3. AeronPeryton - 8 years ago

    Terrible breach of security, Apple is probably going to rewrite Xcode to keep from getting burned like this again.

    Though, as always with Apple breaches, I am pleased with how quickly and how well they have responded to it. If they have the ability to remotely kill apps, like I think they do, this is the time to use it.

    • Khakionion (@Khakionion) - 8 years ago

      Rewriting Xcode would not prevent this from happening.

      • يحي (@aratuk) - 8 years ago

        No, there are ways Apple could remotely verify the integrity of the copy of Xcode used to compile a given app. Some implementation of a checksum of Xcode components, etc.

        The change in the submission process to bitcode rather than fully-compiled binaries should greatly help in identifying problems, too.

    • David Krug - 8 years ago

      This wasn’t a problem with Xcode, it was an issue with developers downloading the compromised version of Xcode from a site other than Apple and using it to write their apps.

      • AeronPeryton - 8 years ago

        I know. But Apple is going to take this infiltration personally, I’ll bet. There’s going to be some kind of safe guard to prevent this from being possible in the future.

    • leifashley - 8 years ago

      The real question is along with Apple, why did the companies all get screwed over? Did they not check their crap to make sure they got a real version of Xcode?

      Apple maybe should have caught it, but the companies that were breached for sure should have caught it.

  4. usmansaghir - 8 years ago

    Apple have done really well to avoid such a attacks on App store. Even though App Store has over 1.2 million App its a really small number of apps that have Abit disappointed really..I have always critised android for its high security breaches. I think i will be avoid a few of my friends for couple days. Lol

    • myke2241 - 8 years ago

      its not about the number its about high profile devs like the people who behind AB2, WeChat etc not using signed software and not downloading direct form Apple. this could be a breach on their end regardless heads will be rolling and people will be fired today!

  5. iSRS - 8 years ago

    So, I, like many, have Angry Birds 2. I just deleted it. Changing my Apple ID password now. I have two factor authentication enabled, so am I at relatively low risk? Also, having deleted the “infected” app, am I safe once again?

  6. Bruno Bürgi (@berun0) - 8 years ago

    Is it sensible to think that deleting these infected apps will remove the threat from your device? I doubt that. The door has been opened to whatever is now lurching in the depth of the iOS filesystem. I would reset the whole device, starting with new keys.

    • jmholmes83 - 8 years ago

      Apps are sandboxed. That’s not the app’s call, the OS isn’t allowing it to venture outside its walls.

      • myke2241 - 8 years ago

        not exactly true. Sometimes apps will ask for access to other parts of the file system (contacts, location data etc). the user grants access because they are thinking everything is legit.

      • leifashley - 8 years ago

        That’s completely true. The app has permissions to access other parts of the OS like files and photos UNTIL it’s deleted. Then it loses those rights and is no longer a threat.

  7. nonyabiness - 8 years ago

    Angry Birds 2?! Why would such a high profile software company with one of the highest grossing game series on the App Store, use a pirated copy of Xcode?? In the voice of Yoda: No sense this makes.

    • Patrick - 8 years ago

      Maybe there isn’t an Angry Birds 2… maybe the complete app is a Chinese counterfeit.

    • iSRS - 8 years ago

      Yeah, that and the fact it is still available, I am wondering if it is the real one or not

    • It’s a Chinese version, not the same one you’ll get from the US or any European store.

      • Ben Lovejoy - 8 years ago

        Though a Dutch security company is reporting seeing malware traffic from the apps within Europe – see the update above.

      • Found in Europe because Chinese developers are of course free to list their apps in more than one store, just like other devs. I didn’t mean to imply that malware couldn’t be found outside of the one store, but that Angry Bird specifically in the Chinese app store is a different binary entirely and was compiled and uploaded from China, not from Rovio offices elsewhere like the US/rest of world version.

  8. davidt4n - 8 years ago

    This is something unacceptable. If Steve Jobs is still alive, someone is gonna get fired, or maybe more.

    • vandiced - 8 years ago

      If Steve jobs were alive the cancer would’ve spread to his brain making him even more egocentered and unbearable

    • rafterman11 - 8 years ago

      I hate to break this to you, but Apple under Jobs had its own fair share of scandals and failures (remember “you’re holding it wrong?”)

      So, all these “if Steve were here. . .” posts are nonsense.

      • leifashley - 8 years ago

        We remember, and we remember that Jobs came out to point to the fact ALL phones have these issues, not just iPhone. But if you’re going to wrap your legs around it and expect calls to get through, then you’re an idiot.

  9. Ben, you’ve done a bad cut and paste it seems. It’s 39 identified as of the 18th by Palo Alto and more from Fox-It, all referenced in the original post you linked. Also, “Angry Birds 2” is not one of the infected apps, but a local Chinese version is on the list.

    • iSRS - 8 years ago

      So the US Version of Angry Birds 2 is safe?

    • Ben Lovejoy - 8 years ago

      It appears the list is being updated regularly, with new apps as well as translations.

      • I know – it was last updated FRIDAY however. And I’m the one who posted the updated list herein the comments. Which has been trimmed by an admin to remove the names of the apps.

  10. seboslaw (@seboslaw) - 8 years ago

    Angry Birds 2 is mentioned nowhere in the Palo Alto Networks list. Check the link.

    • Ben Lovejoy - 8 years ago

      The whole list of apps was originally in Mandarin, and is being gradually translated. Angry Birds 2 is there in Mandarin: 愤怒的小鸟2 2.1.1

  11. samvais (@samvais) - 8 years ago

    Is there a separate version of Angry Birds 2 only available in Chinese? Is only the Chinese version infected?
    I checked App Store on my iPhone and Angry Birds 2 there doesn’t list Chinese as an available language. However you can find a (clearly) Chinese version of it by googling “ios app store 愤怒的小鸟2”. Which leads to

  12. vtcajones - 8 years ago

    Luckily with the was iOS is designed the amount of information these cracked apps can get is extremely minimal. They can read your clipboard – that’s probably the worst one, and could potentially be bad if you are copy / pasting passwords, however the other stuff is extremely minor and still requires users permissions to access any sensitive data like photos and contacts.

  13. Wim B. Depestel - 8 years ago

    Angry Birds 2 is still in the store!

  14. @benlovejoy Seems like it’s the XCode issue what we learned about from the Snowden leaks. I don’t understand why there’s no mention of this in the press.


    “Documents provided by former NSA contractor Edward Snowden detail a number of initiatives, including an attempt to crack encryption keys implanted into Apple’s mobile processor, and a method compromising Xcode — the Apple tool used to create the vast majority of iOS apps.”

  15. crichton007 - 8 years ago

    I feel fortunate to have not installed any of these apps.

  16. iSRS - 8 years ago

    “I wish to clarify that Rovio can confirm that only the Chinese build of Angry Birds 2 — available only on the App Store in Mainland China, Taiwan, Hong Kong and Macau — is vulnerable to the security issue. All other builds of Angry Birds 2 available in other countries are completely safe and secure. An update of Angry Birds 2 for customers in Mainland China, Taiwan, Hong Kong and Macau that fixes the issue is coming very shortly.”

    Whew — Too bad I am too cautious. Changed my Apple ID Password. Which, with 4 Apple TVs, 2 iPads, a few iPods, a few Macs and a couple iPhones all connected to the account?

    Is a major PitA

    • Krioni - 8 years ago

      Oh, wow. Don’t ever try to access Apple’s Discussion forums online, then. They have a policy of expiring “old” (6 months?) passwords, but ONLY there. So, you’re happily humming along, with your Apple ID on multiple devices, when you make the mistake of trying to post something in Apple’s support forums. Guess what? You just caused yourself a big headache and waste of time.

  17. scottwilkins - 8 years ago

    Could things to note here.

    1. This is NOTHING like what Android is going through. Android is open to full frontal attacks on individual phones. Plus Apple was able to repair the issue quickly and decisively. So now, there is no issue, unless your phone remains non-updated. Which is something much harder to fix on an Android device.

    2. The attack was 99% on Chinese apps, not apps used in other countries. So a far majority of users would never have seen these problems.

  18. fanfoot - 8 years ago

    Well, I don’t think things are quite as posted here. I have CamCard for example. It is in theory one of the identified apps. I have uninstalled it. However, while it has not been updated since April 2015 it is STILL available on the app store. So either:

    – The US version was never infected
    – The US version was and still is infected
    – The last updated date is wrong
    – ???


    p.s. Why why why haven’t you updated the title of the post to remove Angry Birds 2 now that it is confirmed that the US version was never infected?

    • Ben Lovejoy - 8 years ago

      Best guess right now is that only the Chinese App Store was affected, but Apple hasn’t confirmed that, so the safest course remains to delete and reinstall any of the apps listed.


Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear