Apple Reportedly Kept Malware Attack on 128 Million Users a Secret

An email released by Epic in court shows Apple opted against reaching out to affected users.
Chris Young

Apple and Epic's Fortnite-fueled court battle has both companies trying to air out the others' dirty laundry in public. As a report by Ars Technica reveals, Epic revealed a chain of emails in court that shows Apple higher-ups chose not to notify 128 million iPhone users about the largest ever iOS mass compromise.

The hack came in question came to light in 2015 — the year the iPhone 6S was launched — when cybersecurity researchers discovered 40 malicious "XCodeGhost" apps on the App Store. Following further research, that original number rose to 4,000 apps.

It was discovered at the time that these "XCodeGhost" apps contained code that made iOS devices part of a botnet that stole information from users.

The apps came as a result of developers using a counterfeit version of Xcode, Apple's app development tool. The counterfeit Xcode tool secretly inserted malicious code into the developers' creations.

Apple's privacy image dented

In the email released in court by Epic Games, it is revealed that Apple managers discussed the challenges of localizing a warning email to 128 million affected users across the globe. 

"Joz, Tom, and Christine—due to the large number of customers potentially affected, do we want to send an email to all of them?" App Store VP Matthew Fischer wrote in an email to Apple Senior Vice President of Worldwide Marketing Greg Joswiak and Apple PR people Tom Neumayr and Christine Monaghan.

Most Popular

Tellingly, this email was never sent out to the public, with an Apple representative in court unable to provide any evidence of the email having been written or sent.

Though this occurred six years ago, it's surprising to see that Apple opted against individually notifying its users about the mass compromise. Apple has long marketed itself as a company that's all about privacy — so much so that it's led to a high-profile face-off with the FBI.

The new report undeniably dents Apple's squeaky clean privacy image — which was no doubt Epic's intention in releasing the email in court.

Meanwhile, Epic and Apple's court battle continues. For those not in the know, this was kickstarted by Apple removing mega-hit battle royale game Fortnite from the App Store in August last year after it noticed Epic implemented an in-app payment system allowing it to bypass Apple's 30 percent fee for in-app purchases.

message circleSHOW COMMENT (1)chevron