Malware Injected Into Xcode Projects Could Infiltrate Mac App Store

Last week, we reported on a severe new kind of Mac malware that has been found to infect via Xcode, discovered by security researchers at Trend Micro.

In an exclusive interview with MacRumors, the security researchers behind the discovery, Oleksandr Shatkivskyi and Vlad Felenuik, have provided more information about their research.

iu 2 1

The malware, which is part of the XCSSET family, is "an unusual infection" that is injected into Xcode projects. When the project is built, the malicious code is run. This can lead to "a rabbit hole of malicious payloads," and poses a significant risk to Mac users.

Specifically, the malware was found to be capable of abusing Safari and other browsers to steal data. It can use a vulnerability to read and dump cookies, create backdoors in JavaScript, and in turn modify displayed websites, steal private banking information and passwords, and block password changes. It was also found to be able to steal information from apps such as Evernote, Notes, Skype, Telegram, QQ, and WeChat, take screenshots, upload files to the attacker's specified server, encrypt files, and display a ransom note.

Shatkivskyi and Felenuik told MacRumors that they believe the XCSSET malware will become extremely common among bad actors who seek to exploit Mac systems. The malware is particularly dangerous because verification methods, such as checking hashes, would not identify infection. It was found to be present in projects shared on GitHub. This means that developers who rely on repositories could face a supply-chain attack and be unaware that their project has become infected.

Xcode projects infected with the malware can create maliciously modified applications, unbeknownst to the developers who make the apps, and may then distribute them as trojans. Shatkivskyi and Felenuik believe that the Mac App Store review team will be largely unable to detect apps that contain the XCSSET malware. "As an iOS developer I know how easy it is to fool them and release an app with hidden features," Shatkivskyi said.

Shatkivskyi and Felenuik first approached Apple about the issue as early as December 2019, and they hope that Apple will be decisive and swift in its response to resolving the vulnerability. They suggest that Apple could implement privacy notifications, the likes of which came to iOS 14 and iPadOS 14, to alert Mac users when the malware is active on their systems, in an effort to explicitly alert users to a potential breach.

Shatkivskyi and Felenuik did not have access to a Mac Developer Transition Kit with Apple Silicon for testing, but they believe "there is no doubt that the malware will work" on Macs running Apple Silicon. In spite of the severity of the XCSSET malware, they maintain that macOS is a safe operating system and are optimistic about the future of combating malware.

"Apple have some work to do, but still macOS is the most secure platform available. I am delighted by how Apple stands for privacy. However, I am sure that malware development will get almost impossible in the future. But it has nothing to do with the Mac transition to Apple silicon."

Going forward, the researchers caution Mac users to be alert for unusual activity with permission alerts. Any repeated or suspicious notifications asking for permissions on macOS may be an indication of an infection. Trend Micro encourages users to consider multilayered security solutions.

"In order to stay safe, you have to be somewhat paranoid. Don't allow any app to record your screen. Also, pay attention to what is running on your Mac. I never use any pirated software due to its insecurity, I use only licensed ones," Shatkivskyi said.

The pair continue to actively research other threats to macOS.

Top Rated Comments

cmaier Avatar
17 months ago

So much for the 30% cut Apple takes to ensure the App Store is the SAFEST place to download 3rd party apps. ?
Not one person has downloaded an app with this infection. Seems like apple is doing its job.
Score: 18 Votes (Like | Disagree)
macfacts Avatar
17 months ago
This is what your 30 percent buys
Score: 12 Votes (Like | Disagree)
rjohnstone Avatar
17 months ago

As Microsoft owns github.com, I have every reason to believe this problem will be resolved very quickly.
/s
It's not Microsoft's responsibility to scan and validate every piece code uploaded to GitHub.
It is the responsibility of every developer to inspect and validate any third party code they choose to incorporate into their app.
Score: 11 Votes (Like | Disagree)
ian87w Avatar
17 months ago

This is what your 30 percent buys
And people want alternative app stores.... :D
Score: 9 Votes (Like | Disagree)
ouimetnick Avatar
17 months ago
So much for the 30% cut Apple takes to ensure the App Store is the SAFEST place to download 3rd party apps. ?
Score: 8 Votes (Like | Disagree)
ArPe Avatar
17 months ago
Bit of ignorance on the researcher’s part.

When Apple vets a submitted app they check the application and system logs for behaviour like this.

Jobs already mentioned this process many years ago ‘Developers tell us the app does one thing and we find out it does something else.’

Apps downloaded outside the App Store are risky, especially if they are unsigned.
Score: 8 Votes (Like | Disagree)

Popular Stories

telsa cyberwhistle

Elon Musk Urges Customers to Buy 'Tesla Cyberwhistle' Instead of Apple Polishing Cloth

Wednesday December 1, 2021 4:01 am PST by
Tesla CEO Elon Musk has encouraged customers to buy the "Cyberwhistle" for $50 instead of Apple's much-discussed Polishing Cloth. The product page, which Musk shared on Twitter on Tuesday evening, offers a limited edition stainless steel whistle with the same distinctive design of the Tesla Cybertruck:Inspired by Cybertruck, the limited-edition Cyberwhistle is a premium collectible made from ...
iPhone SE Cosmopolitan Clean

New iPhone SE Reportedly on Track for Release in First Quarter of 2022

Tuesday November 30, 2021 8:08 am PST by
Apple plans to release a third-generation iPhone SE in the first quarter of 2022, according to Taiwanese research firm TrendForce. If this timeframe proves to be accurate, we can expect the device to be released by the end of March. As previously rumored, TrendForce said the new iPhone SE will remain a mid-range smartphone with added support for 5G:In terms of product development, Apple is...
maxresdefault

Five Features to Look Forward to in the 2022 MacBook Air

Tuesday November 30, 2021 1:51 pm PST by
In 2022, Apple is going to release an updated version of the MacBook Air with some of the biggest design changes that we've seen since 2010, when Apple introduced the 11 and 13-inch size options. In the video below, we highlight five features that you need to know about the new machine. Subscribe to the MacRumors YouTube channel for more videos. No More Wedge Design - Current MacBook...
2017 apple tv

Cyber Monday: Original Apple TV 4K Drops to $99.99 for Amazon Prime Members

Monday November 29, 2021 12:01 pm PST by
We've been tracking Apple product and accessory deals for Cyber Monday 2021 today, and now Woot is offering a solid discount on the previous generation 32GB Apple TV 4K. You can get this device in new condition for just $99.99 if you're an Amazon Prime member. Note that this sale will last for one day only. Note: MacRumors is an affiliate partner with some of these vendors. When you click a...
apple top apps games 2020

Apple Reveals the Most Downloaded iOS Apps and Games of 2021

Thursday December 2, 2021 12:05 am PST by
Along with naming its editorial picks for the top apps and games of 2021, Apple today shared charts for the most downloaded free and paid apps and games in the United States across 2021. The number one most downloaded free iPhone app was TikTok, followed by YouTube, Instagram, Snapchat, and Facebook. The top paid iPhone apps included Procreate Pocket, HotSchedules, The Wonder Weeks, and Touch...
Mac Notebook Upgrade Program

Apple Introduces New MacBook Upgrade Program for Business Partners

Monday November 29, 2021 7:38 am PST by
In association with CIT as the financing partner, Apple has launched a new Mac Upgrade Program for small businesses and Apple business partners that allow companies to easily distribute and upgrade their fleets of MacBooks at an affordable price to all of their workers. As outlined on CIT's website, shared by Max Weinbach, Apple Business Partners can distribute the 13-inch MacBook Pro,...
airpods prototype translucent

Transparent AirPods and 29W Power Adapter Prototypes Surface in Photos

Tuesday November 30, 2021 7:16 am PST by
Images of transparent prototype AirPods and a 29W Apple power adapter have been shared on Twitter by Apple device collector Giulio Zompetti. The prototypes, which appear to be either first-generation or second-generation AirPods, feature clear plastic along the stem and around the outer side of the earbud, with the normal white plastic on the inner side of the earbud. Transparent casings are ...
apple view concept right corner

Apple Planning to Replace the iPhone With AR Headset in 10 Years

Wednesday December 1, 2021 2:29 am PST by
Apple is planning to replace the iPhone with an augmented reality (AR) headset in 10 years, a process that is apparently due to start as soon as next year with the launch of a head-mounted device, according to a recent report. Concept render of Apple's rumored AR headset by Antonio De Rosa In a note to investors seen by MacRumors, eminent analyst Ming-Chi Kuo explained that "Apple's goal is...