Malware Injected Into Xcode Projects Could Infiltrate Mac App Store

Last week, we reported on a severe new kind of Mac malware that has been found to infect via Xcode, discovered by security researchers at Trend Micro.

In an exclusive interview with MacRumors, the security researchers behind the discovery, Oleksandr Shatkivskyi and Vlad Felenuik, have provided more information about their research.

iu 2 1

The malware, which is part of the XCSSET family, is "an unusual infection" that is injected into Xcode projects. When the project is built, the malicious code is run. This can lead to "a rabbit hole of malicious payloads," and poses a significant risk to Mac users.

Specifically, the malware was found to be capable of abusing Safari and other browsers to steal data. It can use a vulnerability to read and dump cookies, create backdoors in JavaScript, and in turn modify displayed websites, steal private banking information and passwords, and block password changes. It was also found to be able to steal information from apps such as Evernote, Notes, Skype, Telegram, QQ, and WeChat, take screenshots, upload files to the attacker's specified server, encrypt files, and display a ransom note.

Shatkivskyi and Felenuik told MacRumors that they believe the XCSSET malware will become extremely common among bad actors who seek to exploit Mac systems. The malware is particularly dangerous because verification methods, such as checking hashes, would not identify infection. It was found to be present in projects shared on GitHub. This means that developers who rely on repositories could face a supply-chain attack and be unaware that their project has become infected.

Xcode projects infected with the malware can create maliciously modified applications, unbeknownst to the developers who make the apps, and may then distribute them as trojans. Shatkivskyi and Felenuik believe that the Mac App Store review team will be largely unable to detect apps that contain the XCSSET malware. "As an iOS developer I know how easy it is to fool them and release an app with hidden features," Shatkivskyi said.

Shatkivskyi and Felenuik first approached Apple about the issue as early as December 2019, and they hope that Apple will be decisive and swift in its response to resolving the vulnerability. They suggest that Apple could implement privacy notifications, the likes of which came to iOS 14 and iPadOS 14, to alert Mac users when the malware is active on their systems, in an effort to explicitly alert users to a potential breach.

Shatkivskyi and Felenuik did not have access to a Mac Developer Transition Kit with Apple Silicon for testing, but they believe "there is no doubt that the malware will work" on Macs running Apple Silicon. In spite of the severity of the XCSSET malware, they maintain that macOS is a safe operating system and are optimistic about the future of combating malware.

"Apple have some work to do, but still macOS is the most secure platform available. I am delighted by how Apple stands for privacy. However, I am sure that malware development will get almost impossible in the future. But it has nothing to do with the Mac transition to Apple silicon."

Going forward, the researchers caution Mac users to be alert for unusual activity with permission alerts. Any repeated or suspicious notifications asking for permissions on macOS may be an indication of an infection. Trend Micro encourages users to consider multilayered security solutions.

"In order to stay safe, you have to be somewhat paranoid. Don't allow any app to record your screen. Also, pay attention to what is running on your Mac. I never use any pirated software due to its insecurity, I use only licensed ones," Shatkivskyi said.

The pair continue to actively research other threats to macOS.

Top Rated Comments

cmaier Avatar
12 months ago

So much for the 30% cut Apple takes to ensure the App Store is the SAFEST place to download 3rd party apps. ?
Not one person has downloaded an app with this infection. Seems like apple is doing its job.
Score: 18 Votes (Like | Disagree)
macfacts Avatar
12 months ago
This is what your 30 percent buys
Score: 12 Votes (Like | Disagree)
rjohnstone Avatar
12 months ago

As Microsoft owns github.com, I have every reason to believe this problem will be resolved very quickly.
/s
It's not Microsoft's responsibility to scan and validate every piece code uploaded to GitHub.
It is the responsibility of every developer to inspect and validate any third party code they choose to incorporate into their app.
Score: 11 Votes (Like | Disagree)
ian87w Avatar
12 months ago

This is what your 30 percent buys
And people want alternative app stores.... :D
Score: 9 Votes (Like | Disagree)
ouimetnick Avatar
12 months ago
So much for the 30% cut Apple takes to ensure the App Store is the SAFEST place to download 3rd party apps. ?
Score: 8 Votes (Like | Disagree)
ArPe Avatar
12 months ago
Bit of ignorance on the researcher’s part.

When Apple vets a submitted app they check the application and system logs for behaviour like this.

Jobs already mentioned this process many years ago ‘Developers tell us the app does one thing and we find out it does something else.’

Apps downloaded outside the App Store are risky, especially if they are unsigned.
Score: 8 Votes (Like | Disagree)

Top Stories

Flat 2021 MacBook Pro Mockup Feature

Unreleased Apple Macs and Apple Watches Listed in Eurasian Database Ahead of Fall Product Launches

Monday August 2, 2021 9:34 am PDT by
Apple is preparing for a slew of fall product launches according to new filings that showed up today in the Eurasian Economic Commission database. There are listings for new Mac and Apple Watch models, all of which have previously unknown model identifiers that indicate that they're upcoming devices. There are six new Apple Watch identifiers, including A2473, A2474, A2475, A2476, A2477, and...
ifixit iphone12 mini

Apple to Make Space for Larger Batteries in iPhones, iPads, and MacBooks By Adopting Slimmer Peripheral Chips

Monday August 2, 2021 2:12 am PDT by
For future iPhones, iPads, and MacBooks, Apple plans to use smaller internal components in an effort to increase the size of the device's battery, according to DigiTimes. Image Credit: iFixit Specifically, Apple plans to "significantly increase the adoption" of IPDs or integrated passive devices for the peripheral chips in its products. These news chips will be slimmer in size and allow for...
Apple Watch 7 Unreleased Feature

Apple Watch Series 7 to Focus on One Major Upgrade

Wednesday August 4, 2021 2:12 am PDT by
The upcoming Apple Watch Series 7 will focus on one important feature in an attempt to tempt existing Apple Watch users that have an older device to upgrade, according to recent reports. Apple may skip adding new health sensors to this year's Apple Watch Series 7 in favor of improving the device's battery life. The company is said to be adopting new double-sided System in Package (SiP)...
magic keyboard touch id

Apple Makes Magic Keyboard With Touch ID Available for Separate Purchase

Tuesday August 3, 2021 5:22 am PDT by
Apple has made the Magic Keyboard with Touch ID, which previously was only available with the purchase of the new 24-inch iMac, available for purchase individually for $149. Apple also retails the Magic Keyboard with Touch ID and a numeric keypad for $179. A standard Magic Keyboard without Touch ID or a numeric keypad is available for $99, and a new Magic Trackpad for $129. One major...
iPhone 13 Wi Fi 6E feature update

Wi-Fi 6E Explained: What It Could Mean for iPhone 13 and Beyond

Monday August 2, 2021 8:00 am PDT by
The iPhone 13 is widely expected to come with Wi-Fi 6E capabilities, and while it may seem rather nuanced to the average consumer, with only improved speeds and being "up to date" in the realm of Wi-Fi technology, it's actually a fairly significant improvement, laying the groundwork for much of what we know the future holds. To truly understand Wi-Fi 6E, MacRumors sat down for an exclusive...
applestoredown

Apple's Online Store Temporarily Down [Update: Back Up]

Tuesday August 3, 2021 4:01 pm PDT by
Apple's online Apple Store is down at the current time, and attempting to access it to make a purchase gives the standard "Be Right Back" message. Given that it's a Tuesday night/afternoon in the United States and we're not expecting any new products this week, it's likely that this is a temporary maintenance outage that is not related to a new product release. The Apple Store app is also...
themorningshowcarrell

Apple Decided Not to Buy Reese Witherspoon's 'Hello Sunshine' Media Company

Monday August 2, 2021 2:02 pm PDT by
Reese Witherspoon's media company "Hello Sunshine" recently courted various buyers, and while Apple was one of parties interested in buying Hello Sunshine, the Cupertino company did not end up going through with the purchase. Hello Sunshine was valued at around $900 million thanks to its involvement in popular series like The Morning Show," "Big Little Lies," and "Little Fires Everywhere,"...
iPhone 13 Dummy Thumbnail 2

Apple Brings China's Luxshare Precision into iPhone 13 Supply Chain to Meet Production Targets

Wednesday August 4, 2021 12:19 am PDT by
Apple is tapping more Chinese suppliers as it seeks to meet ambitious targets for iPhone 13 production, according to a new report by Nikkei Asia. Apple is set to produce between 90 million and 95 million iPhones through January, according to a previous Nikkei report, and China's Luxshare Precision Industry has won 3% of orders away from Taiwanese rivals Foxconn and Pegatron. Luxshare will...
mac pro new graphics

Apple Introduces New High-End Graphics Options for Mac Pro

Tuesday August 3, 2021 7:34 am PDT by
Apple today began offering new high-end graphics upgrade options for both the tower and rack versions of the Mac Pro desktop computer. This comes on the same day that Apple started selling the Magic Keyboard with Touch ID on a standalone basis. As noted by CNN Underscored's Jake Krol, the Mac Pro can now be configured with new AMD Radeon Pro W6800X, W6800X Duo, or W6900X graphics when...
General Apps Messages

Android iMessage Competitor Puts Pressure on Apple

Friday July 30, 2021 3:15 am PDT by
Google and the three major U.S. carriers, including Verizon, AT&T, and T-Mobile, will all support a new communications protocol on Android smartphones starting in 2022, a move that puts pressure on Apple to adopt a new cross-platform messaging standard and may present a challenge to iMessage. Verizon recently announced that it is planning to adopt Messages by Google as its default messaging...