XcodeGhost

[1] The software first gained widespread attention in September 2015, when a number of apps originating from China harbored the malicious code.

Security firm Palo Alto Networks surmised that because network speeds were slower in China, developers in the country looked for local copies of the Apple Xcode development environment, and encountered altered versions that had been posted on domestic web sites.

[9] On September 16, 2015, a Chinese iOS developer mentioned[10] on the social network Sina Weibo that a malware in Xcode injects third party code into apps compiled with it.

Attackers took advantage of this situation by distributing compromised versions on such file hosting websites.

According to documents leaked by Edward Snowden, CIA security researchers from Sandia National Laboratories claimed that they "had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool.

The UIWindow class is "an object that manages and coordinates the views an app displays on a device screen".

When the infected app is launched, either by using an iPhone or the simulator inside Xcode, XcodeGhost will automatically collect device information such as: Then the malware will encrypt those data and send it to a command and control server.

[12] XcodeGhost is also able, each time an infected app is launched, to store the data written in the iOS clipboard.

[22] Fox-it, a Netherland-based security company reports that they found thousand of malicious traffic outside China.