Hackers have finally taken a bite out of Apple’s App Store: the company confirmed that attackers were able to infect some of the apps it offers with malware, by copying and modifying a tool used by software developers. Apple says it has now removed the affected apps from the App Store.

Researchers at Palo Alto Networks, an online security company, said in a blog post that about 40 apps with bad code landed in the App Store, potentially affecting hundreds of millions of users. Chinese online security company Qihoo said it has found more than 300 infected apps, reports the New York Times, including some of China’s most popular apps. Others included are available elsewhere as well, like WeChat, a messaging app with 500 million users.

Palo Alto Networks notes that this is the first major breach the App Store has suffered: before now, only five malicious apps had ever been found in the App Store.

Once people download the infected apps, the malware can open certain websites on the device that are aimed at infecting the device with even more viruses. It can also phish user credentials by displaying pop-up screens asking for private information like passwords for their Apple account.

“Since the dialogue is a prompt from the running application, the victim may trust it and input a password without suspecting foul play,” Palo Alto Networks said in its blog post.

Apple didn’t comment on how many apps were affected or provide steps customers could take to determine if their devices were infected, but a spokeswoman confirmed the breach, saying in a statement that a fake developer code that had been copied and modified to inject bad apps into the App Store was “posted by untrusted sources.”

“To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software,” an Apple spokeswoman said. “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”

Apple is working with Palo Alto Networks, security researchers at Chinese e-commerce company Alibaba and the app makers to investigate the incident and figure out how many people have downloaded bad apps and assess the damage.

Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps [Palo Alto Networks]
Apple Confirms Discovery of Malicious Code in Some App Store Products [New York Times]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.