Apple is cleaning up its App Store to remove malicious applications identified in the first large-scale attack on the popular iOS mobile software.
The company disclosed the effort after several infosec firms reported finding malicious software embedded in hundreds of legitimate apps.
It is the first reported case of large numbers of malware making their way past Apple's stringent app review process. Prior to this attack, a total of just five malicious apps had ever been found in the App Store, according to IT security firm Palo Alto Networks.
The hackers embedded the malicious code in the apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple's Xcode software for creating iOS and Mac apps.
The issue occured when developers took Xcode from the Baidu cloud sharing service - which provides faster downloads - rather than directly from Apple. Researchers from Chinese technology firm Alibaba named the tweaked code XcodeGhost.
Researchers initially thought the infections were contained to Chinese applications and predominantly affected Chinese users.
But they have since discovered that many more apps than initially identified were infected, with hundreds of millions of users globally at risk.
The infected applications include chat services, banking apps, mobile carrier applications, map services, stock trading apps and games.
Some of the more well-known include chat service WeChat and business card reader and scanner CamCard.
WeChat operator Tencent has updated the WeChat app to remove the malware and said it had no evidence of data loss.
"We’ve removed the apps from the App Store that we know have been created with this counterfeit software," Apple spokeswoman Christine Monaghan said.
"We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps."
She did not say what steps iPhone and iPad users could take to determine whether their devices were infected.
Palo Alto Networks firector of threat intelligence Ryan Olson said the malware had limited functionality and his firm had uncovered no examples of data theft or other harm as a result of the attack.
However, he said it was "a pretty big deal" because it showed that the App Store could be compromised if hackers infected machines of software developers writing legitimate apps.
Other attackers may copy that approach, which is hard to defend against, he said.
"Developers are now a huge target," he said..
Chinese security firm Qihoo360 Technology said it had uncovered 344 apps tainted with XcodeGhost.
Apple declined to say how many apps it had uncovered.
The issue follows a serious flaw recently discovered in iOS 9 which attackers could exploit to plant malware on user devices in range of attacks through the AirDrop file sharing service.
The flaw was patched in the recent large bundle of iOS 9 security updates.
Update Apple has issued guidelines to developers to help them check that they are using untainted versions of Xcode, obtained only from official sources.