Apple has announced it is removing a malicious code added to a number of apps commonly used on iPhones and iPads in China.
It is thought to be the first large-scale attack on Apple’s App Store.
The hackers had created a counterfeit version of Apple’s software for building iOS apps, which it persuaded developers to download.
Apps compiled using the software could steal data about the users and send it to servers controlled by the hackers.
In addition, the attackers could send fake alerts to infected devices to trick their owners into revealing passwords and other information.
The infected applications include Tencent’s hugely popular WeChat app, a music downloading app and an Uber-like car hailing app.
Some of the affected apps – including the business card scanner CamCard – are also available outside China.
An Apple spokeswoman said apps created using the counterfeit software, XcodeGhost, had now been removed from the App Store.
“We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps,” said Christine Monaghan.
On its official WeChat blog, Tencent said the security issue affects an older version of the app – WeChat 6.2.5 and the newest versions were not impacted.
It added that an initial investigation showed that no data theft or leakage of user information had occurred.
Potentially hundreds of millions of users were impacted by the infected apps, experts say.
Earlier this month, login names and passwords for more than 225,000 Apple accounts were stolen by cyber-thieves in China.
The majority of people affected were in China.