New Mac Malware Found to Infect via Xcode

Security researchers at Trend Micro have discovered a new kind of Mac malware which can "command and control" a target system.

xcode 6

The researchers described the malware, which is part of the XCSSET family, as "an unusual infection related to Xcode developer projects." The malware is unusual because it is injected into Xcode projects, and when the project is built, the malicious code is run. A developer's Xcode project was found to be able to contain the malware, which "leads to a rabbit hole of malicious payloads."

The discovery poses a significant risk for Xcode developers. Trend Micro identified developers affected by the malware who share their projects via GitHub, leading to a potential supply-chain attack for users who rely on repositories for their own projects. Google's VirusTotal scanning software managed to identify the malware, which indicates the threat is at large.

The malware spreads via infected Xcode projects because it can create maliciously modified applications. Specifically, the malware was found to be capable of abusing Safari and other browsers to steal data. It can use a vulnerability to read and dump cookies, create backdoors in Javascript, and in turn modify displayed websites, steal private banking information, block password changes, and steal newly modified passwords. It was also found to be able to steal information from apps such as Evernote, Notes, Skype, Telegram, QQ, and WeChat, take screenshots, upload files to the attacker's specified server, encrypt files, and display a ransom note.

Affected developers may unwittingly distribute the trojan to their users in the form of compromized Xcode projects and built applications. The malware is particularly dangerous because verification methods, such as checking hashes, would not identify infection as the developers would be unaware that they are distributing malicious files.

To protect against this type of threat, Trend Micro encourages users to only download apps from official marketplaces and consider multilayered security solutions.

Top Rated Comments

foobarbaz Avatar
16 months ago
If only there was the technology to prevent this spread. Perhaps something similar to containing a bunch of sand in some kind of box-shaped enclosure.
Score: 15 Votes (Like | Disagree)
russell_314 Avatar
16 months ago
This is why we can’t have nice things ?
Score: 11 Votes (Like | Disagree)
farewelwilliams Avatar
16 months ago
Now imagine if the malware made it into a Mac App Store app.

This is why we notarize our Mac apps.
Score: 7 Votes (Like | Disagree)
lostngone Avatar
16 months ago
Good thing I never migrated to Xcode... CodeWarrior Pro 4 is the only way to compile!
Score: 6 Votes (Like | Disagree)
Scottsoapbox Avatar
16 months ago
Can't blame the non-tech savy people for this one.
Score: 6 Votes (Like | Disagree)
PsykX Avatar
16 months ago

Pulling an Xcode project file from github and running it through Xcode without examining it first sounds kind of risky in the first place.
I understand your suggestion, but it is an impossible thing to do.

Sure, I can have a look at the initial code, but I rely on Swift Packages a lot. Xcode is configured to update Swift Packages to the latest minor revisions by default, and it happens on project opening. If one of my framework dependencies suddenly becomes infected, I will never know.

--

Apple has the biggest homework to do here, but they will probably work in partnership with GitHub, GitLab, etc. to identify the malicious files, if they all look alike it will be easy for them to delete them.
Score: 5 Votes (Like | Disagree)

Related Stories

studio buds family

Beats Studio Buds Debuting Today With Active Noise Cancellation, Stemless Design, and More for $150

Monday June 14, 2021 8:00 am PDT by
We've seen a lot of teasers about the Beats Studio Buds over the past month since they first showed up in Apple's beta software updates, and today they're finally official. The Beats Studio Buds are available to order today in red, white, and black ahead of a June 24 ship date, and they're priced at $149.99. The Studio Buds are the first Beats-branded earbuds to truly compete with AirPods...
youtube apple tv

YouTube Discontinuing 3rd-Generation Apple TV App, AirPlay Still Available

Wednesday February 3, 2021 3:09 pm PST by
YouTube is planning to stop supporting its YouTube app on the third-generation Apple TV models, where YouTube has long been available as a channel option. A 9to5Mac reader received a message about the upcoming app discontinuation, which is set to take place in March.Starting early March, the YouTube app will no longer be available on Apple TV (3rd generation). You can still watch YouTube on...
iPhone 13 Dummy Thumbnail 2

Kuo: iPhone 13 to Feature LEO Satellite Communications to Make Calls and Texts Without Cellular Coverage

Sunday August 29, 2021 7:39 am PDT by
The iPhone 13 will feature low earth orbit (LEO) satellite communication connectivity to allow users to make calls and send messages in areas without 4G or 5G coverage, according to the reliable analyst Ming-Chi Kuo. In a note to investors, seen by MacRumors, Kuo explained that the iPhone 13 lineup will feature hardware that is able to connect to LEO satellites. If enabled with the relevant...
YouTube Picture in Picture Feature

YouTube Premium Subscribers Can Now Use iOS Picture-in-Picture: Here's How

Wednesday August 25, 2021 3:55 am PDT by
Google has rolled out picture-in-picture support as an "experimental" feature for YouTube premium subscribers, allowing them to watch video in a small window when the app is closed. If you're a premium YouTube subscriber looking to try out picture-in-picture, follow these steps: Launch a web browser and sign into your YouTube account at YouTube.com. Navigate to www.youtube.com/new. Scroll...
os x mountain lion macs 16x9 2

Apple Makes OS X Lion and Mountain Lion Free to Download

Wednesday June 30, 2021 12:19 pm PDT by
Apple recently dropped the $19.99 fee for OS X Lion and Mountain Lion, making the older Mac updates free to download, reports Macworld. Apple has kept OS X 10.7 Lion and OS X 10.8 Mountain Lion available for customers who have machines limited to the older software, but until recently, Apple was charging $19.99 to get download codes for the updates. As of last week, these updates no...
tim cook spring loaded event

Gurman: Apple Planning Multiple Events for the Fall, M1X MacBook Pros to be Available by November

Sunday August 15, 2021 12:07 pm PDT by
Apple is planning to hold multiple events this fall, which will collectively include the launch of new iPhones, Apple Watches, updated AirPods, revamped iPad mini, and the redesigned MacBook Pros, according to respected Bloomberg journalist Mark Gurman. In his latest weekly Power On newsletter, Gurman says that much like last year, Apple will hold multiple events this coming fall, with the...
apple screen time screen icons

Persistent Kids Finding Loopholes in Apple's Screen Time Limits

Tuesday October 15, 2019 9:44 am PDT by
Apple is currently engaged in a cat-and-mouse game with persistent kids looking to circumvent Screen Time restrictions, but the company has been receiving some criticism for not moving quickly enough to lock down some of the loopholes, reports The Washington Post. A few of the loopholes and ways for parents to shut them down are documented on the site Protect Young Eyes, while these and...
anker lightning cable mfi

Unwrap a New Apple Device? Stock Up on Extra Certified Lightning Cables for as Little as $6

Monday December 25, 2017 5:45 am PST by
If you unwrapped an Apple product today it likely came with one of the company's first-party Lightning cables, but having an extra on hand is always a good idea, so you can place it in other rooms in your house, in your car, or in a bag when you travel. For that reason, now's a good time to shop for third-party Lightning cables that are cheaper than Apple's own accessory, but still Made For...
personal hotspot 1

Apple Acknowledges Personal Hotspot Issues Affecting Some iOS 13 and iPadOS 13 Users

Saturday March 21, 2020 10:04 am PDT by
In an internal document distributed to Apple Authorized Service Providers this week, obtained by MacRumors, Apple has acknowledged that some iOS 13 or iPadOS 13 users may experience issues with Personal Hotspot. Apple has told Authorized Service Providers to expect customers who are unable to connect to a Personal Hotspot or experience frequent disconnection from one. Customers may also...
macos monterey safari beta 3

macOS Monterey Beta 3: Apple Redesigns Safari Tab Interface Following Complaints

Wednesday July 14, 2021 11:39 am PDT by
In the third developer beta of macOS Monterey, which came out this morning, Apple has overhauled the design of Safari, making the tab bar more similar to the current tab bar in macOS Big Sur. The prior Safari design did away with the dedicated URL and search interface, instead allowing any individual tab to be used for navigation input. Tabs were also all arranged at the top of the display...