Fireeye is a pretty good company.
I judge them by what they did not tell the public. . . and what FireEye did not tell the public was the most important part of the XcodeGhost story.
They wanted the public to assume the 4000+ infected apps were in the Apple App Store and that the members of the public were in danger of downloading those apps merely by using the US Apple App store when there was ZERO chance of doing that because there were no infected files in the US. Not a single XcodeGhost app ever was found in the US App store, and only five were found in the China Apple App Store.
The 4000+ other infected app files that FireEye were for either jailbroken iOS devices or they had to be side-loaded into non-jailbroken iOS devices by spoofing stolen or borrowed Enterprise Certificates to make the iPhone or iPad install them as if they were from an employers' enterprise account from a third-party app store.
This was dishonest reporting to the US market. For any American consumer to be infected required that consumer to jump through some pretty difficult hoops. FireEye knew all this and failed to report it. . . and it took days for it to come out. At the same time, they were approaching businesses selling their Enterprise iOS anti-malware app.