Whomever created XcodeGhost has also developed a new version that can target iOS 9, called XcodeGhost S, FireEye wrote.
That update appears intended to get around a defense Apple built into iOS 9 to ensure most connections with other servers are encrypted. It also uses a method to try defeat static detection of the command-and-control servers it communicates with, FireEye wrote.
Apple has removed one app infected with XcodeGhost S which loosely translates to "Free State." It's a shopping app for travelers that was offered in Apple's App Store in the U.S. and China, FireEye said.
Sign up for CIO Asia eNewsletters.