Compromised apps remain in Apple China App Store; $1M bounty offered for iOS 9 exploits


App analytics company SourceDNA – whose clients include Google, Amazon and Dropbox – claims that the compromised versions of many apps remain live in the Chinese App Store. This includes CamCard, which is a very popular app ranked #94.

The apps were infected with malware by a fake version of Xcode dubbed XcodeGhost which legitimate developers were fooled into downloading, believing it to be a copy of the genuine Apple app. A partial list of infected apps has been posted by security company Palo Alto Networks … 

It was revealed in documents leaked by Snowden earlier this year that using a forged version of Xcode to inject malware into apps is a route the CIA considered using. It was unclear at that time how the agency could get developers to use the compromised app.

While Apple said on Sunday that it was aware of the issue and was removing infected apps, SourceDNA claims that its scans reveal that compromised versions of more than a thousand apps remain live in the Chinese version of Apple’s App Store, and told us that some of them have been infected since April.

Meantime, Wired revealed that security industry firm Zerodium – whose founder Chaouki Bekrar sells spyware to government agencies and corporations around the world – is offering a $1M bounty to anyone who can provide an exploit for breaking into an iPhone or iPad running iOS 9. The requirements for this bounty are quite high, relying on finding a very rare device exploit that can be activated through a website or text message, and if one is found it’s unlikely that it will be announced publicly.

The terms of the offer include the demand that the bug not be reported to Apple or publicly disclosed, the better to allow Zerodium’s customers to use the technique in secret. Apple didn’t immediately respond to a request for comment.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel


  1. Dave Huntley - 7 years ago

    How can you refer to Zerodium as a security company when it buys for OS exploits to sell to “customers” and doesn’t make them public or to the manufacturer? It’s a privatized KGB right?

  2. I’m thinking that the quote you have at the end of the article, presumably from Zerodium, did not include that final line about Apple not offering comments. That probably was probably intended to be a separate paragraph after the quotation.

  3. lkrupp215 - 7 years ago

    Interesting how much of the tech media is leaving out the China connection. Most articles state that the “App Store’ has been compromised with infected apps. No mention that this is mostly a China thing and that U.S. and European stores don’t have these apps.

    • galley99 - 7 years ago

      Linkbait articles aren’t concerned with such relevant details.

  4. davidt4n - 7 years ago

    I think Zerodium is investing 1M in order to blackmail Apple


Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear