It was entirely possible to become a victim of malware by downloading an app that the developer had no intentions of doing anything maliciously. The result was the same however.
The event is being called XcodeGhost, presumably because a ghost added code.
The normal rules of smartphone ownership sort of went out the window with this one as this did not require a user to do anything sketchy (root, jailbreak, install from third party,) and was not coming from developers of ill repute, just developers who got tricked into installing what they believed were required updates.
Apple is working to remove any apps containing the XcodeGhost malware, which included a hugely popular car hailing app (unnamed,) WeChat, and a music service.
The BBC is reporting that the malicious code could push notifications to trick you into giving out identifying information, however the details are not listed as to what they could possibly do.
There are no numbers as of yet for how many apps were infected, nor do I see any assurances that the same thing wasn’t going on in the US version of the App Store.
It seems as though Apple could probably add a layer of security to verify that the compiler/app development kit had not been tampered with prior to code signing. It will be interesting to see how this develops.
[BBC]