In a nutshell, hackers infected a legitimate copy of Xcode, then made that tainted copy available for download on Baidu in China. Developers sometimes turn to Baidu when Apple’s servers in China are slow.
The developers used their tainted copy of Xcode to build unknowingly infected apps, then uploaded those infected apps to the Chinese App Store. Some of those apps made their way to app stores in other countries.
From this report from Palo Alto Networks:
We checked these apps and list them below in this report. As of this writing, we see 39 iOS apps being infected, some of which are extremely popular in China and in other countries around the world, comprising hundreds of millions users.
The infected iOS apps include IMs, banking apps, mobile carrier’s app, maps, stock trading apps, SNS apps, and games. Among the more well-known apps are WeChat (developed by Tencent); Didi Chuxing (developed by Didi Kuaidi) the most popular Uber-like app in China; Railway 12306, the only official app used for purchasing train tickets in China; China Unicom Mobile Office, which is in use by the biggest mobile carrier in China; and Tonghuashun, one of most popular stock trading apps.
Some apps are also available from the App Store in other countries. For example, CamCard, developed by a Chinese company, is the most popular business card reader and scanner in many countries (including the US) around the world. WeChat is the most popular IM app not only in China but also in many countries or regions in Asia Pacific. Version 6.2.5 of WeChat is what we have verified to be infected. Tencent has updated to 6.2.6, which removed the malicious code.
The report links known infected apps.
The hackers embedded the malicious code in these apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple’s software for creating iOS and Mac apps, which is known as Xcode, Apple said.
“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokeswoman Christine Monaghan said in an email. “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”
She did not say what steps iPhone and iPad users could take to determine whether their devices were infected.