Palo Alto threat bod Claud Xiao says XcodeGhost-infected apps are open to man-in-the-middle attacks and contain a beachhead for other malware writers to attack devices.
More than 4000 apps have been infected since developers downloaded a malicious copy of the Xcode iOS development tool through a file-sharing service.
The vulnerability in the infected apps can be exploited on all infected iOS devices.
Xiao says the DES ECB mode -encrypted communication streams between infected apps and the attacker's command and control servers are poorly encrypted and contain easily-discoverable private keys.
"XcodeGhost used HTTP to upload information and receive command and control server commands ... it's also not hard to find the encryption key in its code by reverse engineering," Xiao says.
"There's a vulnerability in the infected iOS apps whereby the malicious code in them can be controlled by any man in the middle.
"By exploiting this vulnerability, an attacker can construct any URL in any scheme and control infected apps to open or prompt an alert dialog for further attacks."
The vulnerability persists regardless of the scuppering of the XcodeGhost command and control servers.
The malicious xcode package was modified to trojanise apps in a way that passed App Store security checks, and was advertised on popular developer forums as a faster source to download the 3Gb Xcode file.
Apple has continued to exorcise the App Store of malicious apps uploaded in what has been widely considered to be Cupertino's first big malware attack. ®