S0297: XcodeGhost
XcodeGhost is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. [1] [2]
Analyst context for executives and security teams
XcodeGhost matters because it illustrates a mobile software supply-chain failure: malicious code reached users through infected iOS apps after development tooling was modified. For leaders, the key issue is not only endpoint malware cleanup, but whether the organization can trust its mobile app build pipeline, validate third-party and developer tooling, and respond when widely distributed apps may have captured sensitive user data.
Executive priority
Treat this as a decision point for mobile application assurance and incident readiness. Executives should ask whether mobile app development environments are governed, whether dependency and tooling integrity can be evidenced for audit or customer assurance, and whether the SOC and IR teams can investigate a mobile app compromise that originates before app delivery. Because related ATT&CK context includes clipboard access, GUI-based credential prompting, and compromised software dependencies/development tools, priority should be placed on controls that reduce supply-chain exposure and improve evidence collection around mobile app behavior.
Technical view
ATT&CK provides no official detection guidance for XcodeGhost, so defenders should validate coverage around the related behaviors rather than rely on a named-malware signature alone. SOC, mobile security, and IR teams should confirm they can investigate suspicious mobile app behavior associated with clipboard data access, deceptive GUI prompts for credentials or PII, and compromise of development tools or software dependencies. For organizations that build or distribute mobile apps, review build provenance, developer workstation/tooling integrity, dependency intake, code-signing workflow, and release pipeline evidence. For organizations managing mobile fleets, validate whether mobile app inventory, app version history, network behavior, and user-reported phishing prompts can be correlated during an incident.
Likely telemetry
- Mobile app inventory and installed application/version records
- Mobile device management or enterprise mobility management logs where available
- Mobile application network connections and destination telemetry
- Application build, release, and code-signing records for internally developed apps
- Developer workstation and build system integrity logs
Detection direction
- Do not assume coverage from the XcodeGhost name alone; ATT&CK does not provide an official detection analytic for this object.
- Validate monitoring for the relationship-driven behaviors: clipboard data access, GUI input capture through misleading prompts, and compromised development tools or dependencies.
- Tune investigations to distinguish legitimate mobile app prompts and clipboard use from unexpected prompts, unusual timing, or behavior inconsistent with the app’s stated function.
- For internally developed apps, compare released binaries and build artifacts against trusted build pipelines and approved development tooling.
- Review whether mobile telemetry is sparse or privacy-limited; mobile environments often lack the same depth of host telemetry available on traditional endpoints.
Mitigation priorities
- Prioritize integrity controls for mobile development tools, dependencies, build systems, and code-signing processes.
- Maintain auditable provenance for mobile app builds and releases, including approved toolchains and dependency sources.
- Use mobile application security testing to review sensitive behaviors such as clipboard access, credential prompts, and URL opening behavior.
- Ensure incident response playbooks cover mobile software supply-chain scenarios, including app removal, user notification decision points, credential reset considerations, and evidence preservation.
- For managed devices, maintain reliable app inventory and version visibility so potentially affected apps can be identified quickly.
Analyst notes and limits
The supplied ATT&CK object identifies XcodeGhost as iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. The most useful defensive context comes from the relationships to Clipboard Data, GUI Input Capture, and Compromise Software Dependencies and Development Tools. Glexia’s interpretation is therefore focused on mobile supply-chain assurance, mobile app behavior validation, and incident readiness rather than unsupported claims of current activity.
ATT&CK lists no platforms, tactics, labels, aliases, or official detection text for this object, although the description identifies it as iOS malware. The relationship descriptions are partially truncated in the supplied data. This take does not assess current exploitation, attribution, customer exposure, or detection effectiveness; those require local telemetry, app inventory, build pipeline evidence, and current threat intelligence.
XcodeGhost
XcodeGhost is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. [1] [2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1417.002 | GUI Input Capture Sub-technique | XcodeGhost can prompt a fake alert dialog to phish user credentials.CitationPaloAlto-XcodeGhost |
| Mobile | T1414 | Clipboard Data | XcodeGhost can read and write data in the user’s clipboard.CitationPaloAlto-XcodeGhost |
| Mobile | T1474.001 | Compromise Software Dependencies and Development Tools Sub-technique | XcodeGhost was injected into apps by a modified version of Xcode (Apple's software development tool).CitationPaloAlto-XcodeGhost1CitationPaloAlto-XcodeGhost |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3949130369fc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
PaloAlto-XcodeGhost1
Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.
Open source URL -
[2]
PaloAlto-XcodeGhost
Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.
Open source URL -
[3]
XcodeGhost
(Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)
-
[4]
mitre-attack S0297Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.