A Chinese mobile ad provider named Youmi was the developer that was siphoning information. The affected apps are mostly China-based and included the official McDonalds app for Chinese speakers. Apple released a statement saying, “We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi's SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
The apps were detected by SourceDNA, a security analytics startup. Its researchers found four major classes of information that were gathered by apps using the Youmi ad SDK. This included a list of all the apps installed on the phone, the platform serial number of iPhones and iPads when running older versions of iOS, list of hardware components as well as their serial number on devices running newer versions of iOS, and email address associated with the user’s Apple ID.
Last month, Apple was cleaning the App Store of more than 300 applications that were affected by a malicious program called XcodeGhost. The code affected iPhone and iPad programs. The program was embedded in a number of legitimate apps in the Store and developers of the apps unknowingly added the code by using a ‘tainted’ version of Xcode. Xcode is Apple’s own software that is used to create apps for iOS and OS X. Although Apple did not make an official statement as to the number of apps that were affected, a Chinese security firm called Qihoo360 said that it found 344 apps with XcodeGhost.
Source: Ars Technica