Security and privacy issues are magnified by velocity,volume,and variety of big data.User’s privacy is an even more sensitive topic attracting most people’s attention.While Xcode-Ghost,a malware of iOS emerging in late 2015,leads to the privacy-leakage of a large number of users,only a few studies have examined Xcode-Ghost based on its source code.In this paper we describe observations by monitoring the network activities for more than 2.59 million iPhone users in a provincial area across 232 days.Our analysis reveals a number of interesting points.For example,we propose a decay model for the prevalence rate of XcodeGhost and we find that the ratio of the infected devices is more than 60％;that a lot of popular applications,such as Wechat,railway 12306,didi taxi,Youku video are also infected;and that the duration as well as the traffic volume of most XcodeGhost-related HTTP-requests is similar with usual HTTP-request which makes it difficult to be found.Besides,we propose a heuristic model based on fingerprint and its web-knowledge to identify the infected applications.The identifying result shows the efficiency of this model.