Apple can now detect apps infected with XcodeGhost. But there's already an improved version of XcodeGhost that tries to make it harder to analyze and detect.
"Every once in a while, you hear about something getting into the App Store that isn't supposed to be there," Arnott said. "But there's kind of an endless list of tricks that malicious developers can use to try to get this stuff past Apple's review process."
To figure out if the third-party framework was the culprit, Possible Mobile had used a command-line tool, grep, to find the URLs that XcodeGhost was programmed to contact, Arnott said.
"The problem with that sort of approach is once those strings change," Arnott said. "We don't necessarily have a solution for that."
The cat-and-mouse game will pose challenges for Apple and developers, Graves said. Apple's guidance can be vague when apps are rejected, probably to prevent attackers getting tipped off about Apple's security processes.
"This story is definitely not over," Graves said. "It's taken a while, but with the proliferation of mobile and iOS being a high-value target, they're seeing a lot more attention from the black-hat society."
Sign up for CIO Asia eNewsletters.