A number of Xcode projects have been found to contain malware that can attack Safari and other browsers, security researchers have revealed, with the discovery of XCSSET malware making its way into Mac software projects through largely unknown means.
Researchers at Trend Micro discovered what the company describes as "an unusual infection related to Xcode developer projects," where malware would incorporate itself into the project itself. The malware was found to have multiple payload possibilities, and though it poses a potential risk to end users using software developed via Apple's IDE, it actually seems to be a bigger issue for the developers themselves.
The malware, which is part of the XCSSET family, was found to incorporate files that suggested it would enable a "command and control" of a target system, namely that it would allow the attacker using the malware to take control of the infected Mac. This can allow for a wide variety of actions to be performed on infected systems, including acquiring personal data and performing a ransomware-style attack involving encryption.
The team suggests the unusual nature of the malware is from how it is being distributed, namely that it is being "injected into local Xcode projects so that when the project is built, the malicious code is run." It is unclear exactly how the code is being injected into the project at this time.
For developers who rely on collaborating with others, Trend Micro suggests the threat is worse when taking into account projects being shared via GitHub and other code repositories, as this could lead to "a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects."
After being installed, the malware is able to attack Safari and other browsers on the Mac to acquire useful user data. Zero-day vulnerabilities discovered include an issue with Data Vault that bypasses macOS' System Integrity Protection feature, as well as in Safari for WebKit Development that creates a fake Safari app that runs instead of the legitimate version.
So far, the malware has only been found in two Xcode projects in research so far, with the projects thought not to be widely used by other developers, severely limiting the impact. A list of 380 victim IP addresses were collected by malware authors, with the vast bulk of infections made up of Macs in China and India.
Trend Micro recommends that project owners "continue to triple-check the integrity of their projects in order to definitely nip unwarranted problems such as a malware infection in the future."