Malware Injected Into Xcode Projects Could Infiltrate Mac App Store

Last week, we reported on a severe new kind of Mac malware that has been found to infect via Xcode, discovered by security researchers at Trend Micro.

In an exclusive interview with MacRumors, the security researchers behind the discovery, Oleksandr Shatkivskyi and Vlad Felenuik, have provided more information about their research.

iu 2 1

The malware, which is part of the XCSSET family, is "an unusual infection" that is injected into Xcode projects. When the project is built, the malicious code is run. This can lead to "a rabbit hole of malicious payloads," and poses a significant risk to Mac users.

Specifically, the malware was found to be capable of abusing Safari and other browsers to steal data. It can use a vulnerability to read and dump cookies, create backdoors in JavaScript, and in turn modify displayed websites, steal private banking information and passwords, and block password changes. It was also found to be able to steal information from apps such as Evernote, Notes, Skype, Telegram, QQ, and WeChat, take screenshots, upload files to the attacker's specified server, encrypt files, and display a ransom note.

Shatkivskyi and Felenuik told MacRumors that they believe the XCSSET malware will become extremely common among bad actors who seek to exploit Mac systems. The malware is particularly dangerous because verification methods, such as checking hashes, would not identify infection. It was found to be present in projects shared on GitHub. This means that developers who rely on repositories could face a supply-chain attack and be unaware that their project has become infected.

Xcode projects infected with the malware can create maliciously modified applications, unbeknownst to the developers who make the apps, and may then distribute them as trojans. Shatkivskyi and Felenuik believe that the Mac App Store review team will be largely unable to detect apps that contain the XCSSET malware. "As an iOS developer I know how easy it is to fool them and release an app with hidden features," Shatkivskyi said.

Shatkivskyi and Felenuik first approached Apple about the issue as early as December 2019, and they hope that Apple will be decisive and swift in its response to resolving the vulnerability. They suggest that Apple could implement privacy notifications, the likes of which came to iOS 14 and iPadOS 14, to alert Mac users when the malware is active on their systems, in an effort to explicitly alert users to a potential breach.

Shatkivskyi and Felenuik did not have access to a Mac Developer Transition Kit with Apple Silicon for testing, but they believe "there is no doubt that the malware will work" on Macs running Apple Silicon. In spite of the severity of the XCSSET malware, they maintain that macOS is a safe operating system and are optimistic about the future of combating malware.

"Apple have some work to do, but still macOS is the most secure platform available. I am delighted by how Apple stands for privacy. However, I am sure that malware development will get almost impossible in the future. But it has nothing to do with the Mac transition to Apple silicon."

Going forward, the researchers caution Mac users to be alert for unusual activity with permission alerts. Any repeated or suspicious notifications asking for permissions on macOS may be an indication of an infection. Trend Micro encourages users to consider multilayered security solutions.

"In order to stay safe, you have to be somewhat paranoid. Don't allow any app to record your screen. Also, pay attention to what is running on your Mac. I never use any pirated software due to its insecurity, I use only licensed ones," Shatkivskyi said.

The pair continue to actively research other threats to macOS.

Top Rated Comments

cmaier Avatar
22 weeks ago


So much for the 30% cut Apple takes to ensure the App Store is the SAFEST place to download 3rd party apps. ?

Not one person has downloaded an app with this infection. Seems like apple is doing its job.
Score: 18 Votes (Like | Disagree)
macfacts Avatar
22 weeks ago
This is what your 30 percent buys
Score: 12 Votes (Like | Disagree)
rjohnstone Avatar
22 weeks ago


As Microsoft owns github.com, I have every reason to believe this problem will be resolved very quickly.
/s

It's not Microsoft's responsibility to scan and validate every piece code uploaded to GitHub.
It is the responsibility of every developer to inspect and validate any third party code they choose to incorporate into their app.
Score: 11 Votes (Like | Disagree)
ian87w Avatar
22 weeks ago


This is what your 30 percent buys

And people want alternative app stores.... :D
Score: 9 Votes (Like | Disagree)
ouimetnick Avatar
22 weeks ago
So much for the 30% cut Apple takes to ensure the App Store is the SAFEST place to download 3rd party apps. ?
Score: 8 Votes (Like | Disagree)
ArPe Avatar
22 weeks ago
Bit of ignorance on the researcher’s part.

When Apple vets a submitted app they check the application and system logs for behaviour like this.

Jobs already mentioned this process many years ago ‘Developers tell us the app does one thing and we find out it does something else.’

Apps downloaded outside the App Store are risky, especially if they are unsigned.
Score: 8 Votes (Like | Disagree)

Top Stories

Top Stories 44 Feature

Top Stories: 'Thinner and Lighter' MacBook Air, Smaller iPhone 13 Notch, iOS 14.4 Incoming

Saturday January 23, 2021 6:00 am PST by
We continued to hear a lot more about Apple's plans for its Mac lineup this week, including word of a high-end redesigned MacBook Air and the return of an SD card slot as part of the upcoming MacBook Pro redesign. It also sounds like Apple has been working on Face ID for Mac, but it won't be appearing in a redesigned iMac this year as originally planned. This week also saw rumors about the...
magsafecasedangle

Apple Elaborates on Potential for iPhone 12 and MagSafe Accessories to Interfere With Implantable Medical Devices

Saturday January 23, 2021 2:42 pm PST by
Since the launch of iPhone 12 models in October, Apple has acknowledged that the devices may cause electromagnetic interference with medical devices like pacemakers and defibrillators, but the company has now shared additional information. Apple added the following paragraph to a related support document today:Medical devices such as implanted pacemakers and defibrillators might contain...
Flat MacBook Air Feature

Bloomberg: Apple Working on 'Thinner and Lighter' High-End MacBook Air With MagSafe, Could Launch in Second Half of 2021

Friday January 22, 2021 3:34 am PST by
Apple is working on a "thinner and lighter" version of the MacBook Air that the company plans to release during the second half of this year at the earliest or in 2022, according to a new report by well-connected Bloomberg journalist Mark Gurman. It will include Apple's MagSafe charging technology and a next-generation version of the company's in-house Mac processors. Apple has discussed...
2021 mbp sd slot feature2

Bloomberg: Next MacBook Pro to Feature SD Card Reader

Friday January 22, 2021 7:50 am PST by
Last week, reputable analyst Ming-Chi Kuo outlined his expectations for new 14-inch and 16-inch MacBook Pro models later this year, including the return of the MagSafe charging connector, the removal of the Touch Bar, a new flat-edged design, and the return of more ports built into the notebooks for expanded connectivity. A concept of a modern MacBook Pro with an SD card reader Kuo did not...
airpods galaxy buds comparison

Samsung Galaxy Buds Pro vs. Apple AirPods Pro

Friday January 22, 2021 2:34 pm PST by
Samsung in January unveiled new flagship Galaxy S21 smartphones and alongside the new phones, introduced the $200 Galaxy Buds Pro, which are priced at $199 and offer Active Noise Cancellation. Subscribe to the MacRumors YouTube channel for more videos. These new Galaxy Buds Pro are clearly designed to compete with Apple's AirPods Pro, so we thought we'd compare the two sets of earbuds in our...
maxresdefault

Microsoft Touts Surface Pro 7 as 'The Better Choice' Over MacBook Pro in New Ad

Saturday January 23, 2021 11:02 am PST by
Microsoft yesterday shared a new ad on YouTube titled "Microsoft Surface Pro 7: The Better Choice," in which the company compares its tablet computer to Apple's 13-inch M1 MacBook Pro, as spotted by MSPoweruser. The ad highlights the Surface Pro 7's touchscreen and included stylus as opposed to only a "little bar" (the Touch Bar) on the MacBook Pro. Other advantages of the Surface Pro 7...
iOS 15 icon mock banner

iOS 15 Rumored to Drop Support for iPhone 6s and 2016 iPhone SE

Thursday January 21, 2021 11:58 am PST by
Apple's upcoming iOS 15 operating system, which we expect to see unveiled in June, is rumored to be dropping support for a few of Apple's older iPhones. According to French site iPhoneSoft, iOS 15 will not be able to be installed on the iPhone 6s, the iPhone 6s Plus, or the 2016 iPhone SE, all of which have an A9 chip. The iPhone 6s and 6s Plus were introduced in 2015 and are now more...
maxresdefault

Video Demos macOS Catalina Running on iPad Pro via x86 Emulation

Thursday January 21, 2021 11:36 am PST by
A video demonstrating macOS Catalina running on a current 2020 iPad Pro has been shared on YouTube, giving us a look at an interesting hack that has a Mac OS up and working on one of Apple's iPads. There's limited information about how the process of getting macOS Catalina on an iPad Pro works, but it uses x86 emulation and was done through the UTM software that allows virtual machines to...
iPhone 13 Notch Feature

iPhone 13 Rumored to Feature Smaller Notch, Pro Model Cameras to Use Larger Image Sensor

Thursday January 21, 2021 1:38 am PST by
Apple's iPhone 13 series will feature a redesigned Face ID system that will allow for a smaller notch at the top of the screen, according to a new report today. The rumor comes via hit-and-miss Taiwanese industry publication DigiTimes, whose supply chain sources also claim that the ultra wide-angle lens in Apple's next-generation iPhones is due for an upgrade. The next-generation iPhones'...
iOS 14

Apple Seeds iOS 14.4 and iPadOS 14.4 Release Candidate to Developers and Public Beta Testers

Thursday January 21, 2021 10:14 am PST by
Apple today seeded the RC version of upcoming iOS 14.4 and iPadOS 14.4 updates to developers for testing purposes, with the new betas coming a week after Apple released the second betas. iOS 14.4 and iPadOS 14.4 can be downloaded through the Apple Developer Center or over the air after the proper profile has been installed on an iPhone or iPad. Paired with the HomePod 14.4 beta that is...