What it is: Xcode is Apple’s free compiler for creating OS X, iOS, watchOS, and tvOS apps.
There’s a recent hack that allowed infected apps into Apple’s App Store for iOS. Hackers downloaded Apple’s free Xcode compiler, modified it to compile infected code with every app created by that modified version of Xcode, and then uploaded the infected version of Xcode (dubbed XcodeGhost) to various websites for unsuspecting developers to download. Then those compiled apps got into Apple’s App Store before Apple discovered the problem.
Fortunately most of the infected apps targeted the Chinese market, so users outside of Asia are far less likely to fall victim to the XcodeGhost hack. However, some games (such as Angry Birds 2) was compiled with the XcodeGhost hack, so although the XcodeGhost hack focused on Asia, it still has a chance to affect the rest of the world.
The real problem is why would developers download a version of Xcode from an unknown site when they could download a valid version for free directly from Apple’s own site? Back when compilers cost hundreds of dollars, it made sense for people to pirate compilers and download them from untrustworthy sites. Yet nowadays when Xcode is completely free for anyone to download, downloading Xcode from any site but Apple’s own site is basically completely foolish.
The lesson learned from this XcodeGhost hack is that malicious hackers will stop at nothing to find a way to infect other people’s computers and that the biggest problem is the gullibility of people. When people are gullible, they’ll download infected files from e-mail addresses they’ve never heard of, follow instructions from complete strangers that lead to installing malware, or as the XcodeGhost hack shows, download infected software when they could simply download the legitimate version absolutely free. The weakest link in any security chain is always the user.
The general rule is never to trust anything on the Internet. Avoid downloading software from suspicious sites, avoid unknown e-mail messages, and assume everything is fake until proven otherwise. This still won’t protect you 100% from any malicious attack, but the less gullible you are to simple, everyday tricks on the Internet, the less likely you’ll fall prey to a malicious hacker’s tricks. Awareness and prevention is always the best defense.