New malware uses malicious Xcode project to install back-doors on developer Macs

article thumbnail

Security researchers have discovered a new malware that targets Xcode developers by using the coding platform's scripting features to install a backdoor onto affected machines.

The malware, dubbed XcodeSpy, affects the Xcode integrated development environment (IDE) on macOS. Xcode is used by Apple developers to create App Store apps for iPhone, Mac, and other devices.

According to researchers at SentinelLabs, bad actors are exploiting the Run Script feature in the IDE to infect Apple Developers using shared Xcode projects.

The so-called "trojanized Xcode project" is currently infected iOS developers in the wild, the researchers said. It's a doctored version of a legitimate project available on GitHub that offers iOS developers advanced features for animating the iOS Tab Bar.

Once the malicious Xcode project is downloaded and launched, it installs a custom variant of the EggShell backdoor with a persistence mechanism. Researchers say that the backdoor could allow an attacker to upload or download files and record a victim's microphone, camera, and keyboard.

As mentioned earlier, the attack relies on the Run Script capability in Xcode. The feature allows developers to run a custom shell script on launching an instance of their application. It's obfuscated because there's no indication in the console or debugger that a malicious script has been executed.

SentinelOne says it has knowledge of at least one case in a U.S. organization. The campaign was reportedly in effect between July and October 2020, and may also have targeted developers in Asia. The researchers say they're unaware of other malicious Xcode projects in the wild and cannot gauge whether it's a major problem. However, there are some indications that other trojanized Xcode projects may exist.

"By sharing details of this campaign, we hope to raise awareness of this attack vector and highlight the fact that developers are high-value targets for attackers," SentinelOne wrote in a blog post.

The original version of the iOS Tab Bar project, dubbed TabBarInteraction, has not been tampered with and is safe to download from GitHub, the researchers added.

Who's at risk and how to protect yourself

SentinelOne says that all Apple developers should be wary of third-party Xcode projects. The team added that new or inexperienced developers who may not be aware of the Run Script feature are especially vulnerable. It's recommended that all Apple developers practice caution and check for malicious Run Scripts when using third-party Xcode Project.

Developers should inspect individual projects for malicious Run Scripts in the Build Phases tab. SentinelOne has more information on detecting and mitigating the threat.