"We've removed the apps from the App Store that we know have been created with this counterfeit software," Apple spokeswoman Christine Monaghan said in an email. "We are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps."
She did not say what steps iPhone and iPad users could take to determine whether their devices were infected, but in a broader statement released by the company, Apple said it took security "very seriously" and that iOS was "designed to be reliable and secure from the moment you turn on your device."
Apple declined to say how many apps it had removed. But researchers said infected apps included Tencent's popular mobile chat app WeChat, car-hailing app Didi Kuaidi and a music app from Internet portal NetEase.
Chinese security firm Qihoo360 said on its blog that it had uncovered 344 apps tainted with XcodeGhost.
Palo Alto Networks Director of Threat Intelligence Ryan Olson said the malware had limited functionality and his firm had uncovered no examples of data theft or other harm as a result of the attack.
Still, he said it was "a pretty big deal" because it showed that the App Store could be compromised if hackers infected machines of software developers writing legitimate apps. Other attackers may copy that approach, which is hard to defend against, he said.
Read MoreApple customers report devices crashing on iOS 9 update
"Developers are now a huge target," he said.
The tainted version of Xcode was downloaded from a server in China that developers may have used because it allowed for faster downloads than using Apple's U.S. servers, Olson said.
Didi Kuaidi said in an emailed statement users' privacy was not intruded upon, and the app has been immediately updated to address the issue.
In a mea culpa on its official Weibo microblog, NetEase apologized to users, saying their private information was not compromised and a fix has been issued.
- CNBC.com contributed to this report.