In September 2015, Apple managers choose not to notify 128 million iPhone users about the worst mass iOS compromise on record.
Recently, emails were presented in the Epic Games lawsuit that showed Apple top brass discussed how to handle a 2015 iOS hack but never went through on their plans to notify affected users.
The infected apps made iPhones and iPads part of a botnet that stole user information. This happened because developers when writing apps used a fake copy of Xcode, Apple’s app development tool. Dubbed XcodeGhost, the fake app maker software injected malicious code in otherwise normal apps. The malicious code made iPhones report to hacker’s command-and-control servers and siphon such device information as the name of the infected app, network information, app-bundle identifier, “identifierForVendor,” device name, type, and unique identifier.
According to the court documents in Epic Games’ lawsuit against Apple, on September 21, 2015, Apple had uncovered 2,500 malicious apps downloaded a total of 203 million times by 128 million users worldwide.
In the surfaced email, App Store VP Matthew Fischer asks his colleagues, a senior vice president of worldwide marketing Greg Joswiak and Apple PR managers Tom Neumayr and Christine Monaghan:
“…Due to the large number of customers potentially affected, do we want to send an email to all of them?”
The email continued:
“If yes… this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world (e.g. we wouldn’t want to send an English-language email to a customer who downloaded one or more of these apps from the Brazil App Store, where Brazilian Portuguese would be the more appropriate language).”
Apple never followed through on these plans, but instead published only this now-deleted post.
The post provides very general information about the top 25 most downloaded apps. “If users have one of these apps, they should update the affected app which will fix the issue on the user’s device,” the post stated. “If the app is available on [the] App Store, it has been updated, if it isn’t available it should be updated very soon.”