Malware Injected Into Xcode Projects Could Infiltrate Mac App Store

Last week, we reported on a severe new kind of Mac malware that has been found to infect via Xcode, discovered by security researchers at Trend Micro.

In an exclusive interview with MacRumors, the security researchers behind the discovery, Oleksandr Shatkivskyi and Vlad Felenuik, have provided more information about their research.

iu 2 1

The malware, which is part of the XCSSET family, is "an unusual infection" that is injected into Xcode projects. When the project is built, the malicious code is run. This can lead to "a rabbit hole of malicious payloads," and poses a significant risk to Mac users.

Specifically, the malware was found to be capable of abusing Safari and other browsers to steal data. It can use a vulnerability to read and dump cookies, create backdoors in JavaScript, and in turn modify displayed websites, steal private banking information and passwords, and block password changes. It was also found to be able to steal information from apps such as Evernote, Notes, Skype, Telegram, QQ, and WeChat, take screenshots, upload files to the attacker's specified server, encrypt files, and display a ransom note.

Shatkivskyi and Felenuik told MacRumors that they believe the XCSSET malware will become extremely common among bad actors who seek to exploit Mac systems. The malware is particularly dangerous because verification methods, such as checking hashes, would not identify infection. It was found to be present in projects shared on GitHub. This means that developers who rely on repositories could face a supply-chain attack and be unaware that their project has become infected.

Xcode projects infected with the malware can create maliciously modified applications, unbeknownst to the developers who make the apps, and may then distribute them as trojans. Shatkivskyi and Felenuik believe that the Mac App Store review team will be largely unable to detect apps that contain the XCSSET malware. "As an iOS developer I know how easy it is to fool them and release an app with hidden features," Shatkivskyi said.

Shatkivskyi and Felenuik first approached Apple about the issue as early as December 2019, and they hope that Apple will be decisive and swift in its response to resolving the vulnerability. They suggest that Apple could implement privacy notifications, the likes of which came to iOS 14 and iPadOS 14, to alert Mac users when the malware is active on their systems, in an effort to explicitly alert users to a potential breach.

Shatkivskyi and Felenuik did not have access to a Mac Developer Transition Kit with Apple Silicon for testing, but they believe "there is no doubt that the malware will work" on Macs running Apple Silicon. In spite of the severity of the XCSSET malware, they maintain that macOS is a safe operating system and are optimistic about the future of combating malware.

"Apple have some work to do, but still macOS is the most secure platform available. I am delighted by how Apple stands for privacy. However, I am sure that malware development will get almost impossible in the future. But it has nothing to do with the Mac transition to Apple silicon."

Going forward, the researchers caution Mac users to be alert for unusual activity with permission alerts. Any repeated or suspicious notifications asking for permissions on macOS may be an indication of an infection. Trend Micro encourages users to consider multilayered security solutions.

"In order to stay safe, you have to be somewhat paranoid. Don't allow any app to record your screen. Also, pay attention to what is running on your Mac. I never use any pirated software due to its insecurity, I use only licensed ones," Shatkivskyi said.

The pair continue to actively research other threats to macOS.

Popular Stories

iPhone 17 Pro in Hand Feature Lowgo

iPhone 17 Pro to Reverse iPhone X Design Decision

Monday July 7, 2025 9:46 am PDT by
Since the iPhone X in 2017, all of Apple's highest-end iPhone models have featured either stainless steel or titanium frames, but it has now been rumored that this design decision will be coming to an end with the iPhone 17 Pro models later this year. In a post on Chinese social media platform Weibo today, the account Instant Digital said that the iPhone 17 Pro models will have an aluminum...
iOS 26 Feature

Everything New in iOS 26 Beta 3

Monday July 7, 2025 1:20 pm PDT by
Apple is continuing to refine and update iOS 26, and beta three features smaller changes than we saw in beta 2, plus further tweaks to the Liquid Glass design. Apple is gearing up for the next phase of beta testing, and the company has promised that a public beta is set to come out in July. Transparency In some apps like Apple Music, Podcasts, and the App Store, Apple has toned down the...
apple wallet drivers license feature iPhone 15 pro

Apple Says iPhone Driver's Licenses Will Expand to These 8 U.S. States

Tuesday July 8, 2025 11:26 am PDT by
In select U.S. states, residents can add their driver's license or state ID to the Wallet app on the iPhone and Apple Watch, providing a convenient and contactless way to display proof of identity or age at select airports and businesses, and in select apps. Unfortunately, this feature continues to roll out very slowly since it was announced in 2021, with only nine U.S. states, Puerto Rico,...
iphone 16 pro ghost hand

5 Reasons to Skip This Year's iPhone 17 Pro

Thursday July 10, 2025 4:54 am PDT by
Apple will launch its new iPhone 17 series in two months, and the iPhone 17 Pro models are expected to get a new design for the rear casing and the camera area. But more significant changes to the lineup are not expected until next year, when the iPhone 18 models arrive. If you're thinking of trading in your iPhone for this year's latest, consider the following features rumored to be coming...
apple account card feature

Apple Account Card Expanding to More Countries

Tuesday July 8, 2025 7:34 pm PDT by
Apple is expanding the ability to add an Apple Account Card to the Wallet app to more countries, according to backend Apple Pay changes. With iOS 15.5, Apple updated the Wallet app to allow users to add an Apple Account Card, which displays the Apple credit balance associated with an Apple ID. If you receive an Apple gift card, for example, it is added to an Apple Account that is also...
iPhone 17 Pro in Hand Feature Lowgo

Leaker Reveals Amount of RAM in iPhone 17 Through iPhone 17 Pro Max

Wednesday July 9, 2025 8:08 am PDT by
Three out of four iPhone 17 models will feature more RAM than the equivalent iPhone 16 models, according to a new leak that aligns with previous rumors. The all-new iPhone 17 Air, the iPhone 17 Pro, and the iPhone 17 Pro Max will each be equipped with 12GB of RAM, according to Fixed Focus Digital, an account with more than two million followers on Chinese social media platform Weibo. The...
iphone 16 pro models 1

Here's How the iPhone 17 Pro Max Will Compare to the iPhone 17 Pro

Saturday July 5, 2025 1:00 pm PDT by
Apple should unveil the iPhone 17 series in September, and there might be one bigger difference between the Pro and Pro Max models this year. As always, the Pro Max model will be larger than the Pro model:iPhone 17 Pro: 6.3-inch display iPhone 17 Pro Max: 6.9-inch displayGiven the Pro Max is physically larger than the Pro, it has more internal space, allowing for a larger battery and...
imac video apple feature

Apple Launching These 15+ Products Later This Year

Sunday July 6, 2025 8:05 am PDT by
The calendar has turned to July, meaning that 2025 is now more than half over. And while the summer months are often quiet for Apple, the company still has more than a dozen products coming later this year, according to rumors. Below, we have outlined at least 15 new Apple products that are expected to launch later this year, along with key rumored features for each. iPhone 17 Series iPho...

Top Rated Comments

cmaier Avatar
64 months ago

So much for the 30% cut Apple takes to ensure the App Store is the SAFEST place to download 3rd party apps. ?
Not one person has downloaded an app with this infection. Seems like apple is doing its job.
Score: 18 Votes (Like | Disagree)
macfacts Avatar
64 months ago
This is what your 30 percent buys
Score: 12 Votes (Like | Disagree)
rjohnstone Avatar
64 months ago

As Microsoft owns github.com, I have every reason to believe this problem will be resolved very quickly.
/s
It's not Microsoft's responsibility to scan and validate every piece code uploaded to GitHub.
It is the responsibility of every developer to inspect and validate any third party code they choose to incorporate into their app.
Score: 11 Votes (Like | Disagree)
ian87w Avatar
64 months ago

This is what your 30 percent buys
And people want alternative app stores.... :D
Score: 9 Votes (Like | Disagree)
ouimetnick Avatar
64 months ago
So much for the 30% cut Apple takes to ensure the App Store is the SAFEST place to download 3rd party apps. ?
Score: 8 Votes (Like | Disagree)
ArPe Avatar
64 months ago
Bit of ignorance on the researcher’s part.

When Apple vets a submitted app they check the application and system logs for behaviour like this.

Jobs already mentioned this process many years ago ‘Developers tell us the app does one thing and we find out it does something else.’

Apps downloaded outside the App Store are risky, especially if they are unsigned.
Score: 8 Votes (Like | Disagree)