The larger question is how the apps were able to bypass Apple's review.
David Richardson, an iOS expert with Lookout Mobile Security, said it's often hard to figure out at first glance the intent of an app.
Many of the capabilities built into XcodeGhost and the mobiSage SDK were not dissimilar to technologies used by ad networks or analytics platforms that Apple allows, he said.
But it was clear that the counterfeit version of Xcode didn't come from Apple, which was a big tipoff to malicious intent, Richardson said.
The mobiSage SDK case is more fuzzy: the ad library doesn't do anything outright malicious, which is possibly why Apple gave it a pass to the store, Richardson said.
Still, FireEye labeled the apps using it as "high risk" in its blog post.
Claud Xiao, a security researcher with Palo Alto Networks, said how Apple reviews apps for security is largely a mystery.
"Nobody knows how they do it," said Xiao, who did extensive research into XcodeGhost.
There are a couple of methods for reviewing code. Static analysis looks at individual lines of code, while dynamic analysis watches how an application behaves.
But malware writers have long used advanced techniques to obscure what they're doing in order to evade security scans and code reviews, Xiao said.
A cursory review of an app may not be able to detect if one was developed using the counterfeit version of Xcode or the legitimate version, he said.
The XcodeGhost and the mobiSage SDK problems show that Apple's code reviews are "not as perfect as we thought before," Xiao said.
Sign up for Computerworld eNewsletters.