Among the top infected iOS apps were WeChat, Didi Taxi, Baidu Music, Angry Bird 2 - Yifeng Li's Favorite, and Flush. The apps are most popular in China.
But iOS users outside of the People's Republic were also affected, contended both Guerra and Wei. While some iOS apps are limited to specific markets, most are not, and thus appear on Apple's numerous e-stores across the globe. Guerra said that Appthority found evidence of malformed apps downloaded by users around the world; Wei added that U.S. users were among them.
The infected apps' actions were also reported with a wide variety of claims.
Guerra and Wei said that their investigations concluded that the apps were behaving like adware, a category named for spewing unwanted and unauthorized advertisements.
"It collects all kinds of device information and sends it to a remote server," wrote Andreas Weinlein, a research and development engineer at Appthority, in a post to his firm's blog this week. "In addition, the response to those requests are able to trigger a standard iOS alert and able to open a given URL or show the App Store page of a given app."
The URL provided by XcodeGhost serves up ads, said Guerra. "It's very similar to aggressive adware," he noted, theorizing that the XcodeGhost group was financially motivated, and figured out how to monetize a large number of other developers' downloads.
Things could have been worse, Guerra and Wei agreed, if the hackers had baked more serious malware into the bogus Xcode. "There were rumors that it can steal iCloud passwords, but the original code [in XcodeGhost] does not have this ability," said Wei, who speculated that other criminals may have ridden XcodeGhost's coattails by modifying the counterfeit Xcode themselves to boost the attack code's functionality.
Apple began yanking the XcodeGhost-infected apps earlier in the week, and urged developers to retrieve the Xcode development toolkit from Apple's own servers, not elsewhere. The company also published instructions for verifying that a copy of Xcode is legitimate on its developer website.
Apple also took the unusual step of going public on the threat, including a Q&A-formatted post on its China website. (Apple did not replicate that post on its websites for other markets, however.)
"We have removed the apps from the App Store that we know have been created with this counterfeit software and are blocking submissions of new apps that contain this malware from entering the App Store," Apple stated on the post.
Apple blamed developers for the infections, saying that they had not only downloaded Xcode from an unofficial -- and by implication, untrusted -- source, but had to have turned off Gatekeeper for the infection to make it into their apps.
Sign up for CIO Asia eNewsletters.