The devs may have disabled the digital signature validation (Gatekeeper on OS X). The second version of the signing protection implemented for OS X 10.10 (and patched into 10.9.5) will validate every file in Xcode.app. First gen signature checking was just checking the runtime binary (The executable in Contents/MacOS inside the .App bundle).

It's possible the hacked Xcode versions did properly validate as well. The leaked CIA documents indicating the US government was doing similar hinted at an OS X installer hack too. http://www.macrumors.com/2015/03/10/leaked-cia-documents-hacked-xcode/

Hopefully Apple can quickly add this detection to their app review process. Makes me wonder if Apple will also utilize the system to kill these apps in the wild. As far as I know, they still haven't made use of that yet, instead just pulling impacted apps off the store.