Security Researchers Discover XcodeSpy Malware That Targets Developers

Developers need to look out for "XcodeSpy," a malicious Xcode project that installs a custom variant of the "EggShell" backdoor on a macOS computer, according to new research shared today by SentinelOne (via Ars Technica).

iu 2 1
Xcode is software designed for developers who want to write apps for the iOS and macOS platforms, and the malicious project that's circulating mirrors TabBarInteraction, a legitimate open source project.

Developers who download the XcodeSpy project think they're getting TabBarInteraction, but the malware includes a hidden "run Script" executable that downloads and installs the EggShell open source back door that's able to spy on users through the microphone, camera, and keyboard as well as upload and download files.

Two variants of the custom EggShell attack were found to be uploaded in Japan, first in August and then in October, so this is an attack that's been out in the wild for some time.

We have thus far been unable to discover other samples of trojanized Xcode projects and cannot gauge the extent of this activity. However, the timeline from known samples and other indicators mentioned below suggest that other XcodeSpy projects may exist. By sharing details of this campaign, we hope to raise awareness of this attack vector and highlight the fact that developers are high-value targets for attackers.

SentinelOne says that all Apple Developers that use Xcode should exercise caution when using shared Xcode projects.

Tag: Xcode

Popular Stories

sonny iphone 16 pro colors

New iPhone 16 and iPhone 16 Pro Colors Revealed Ahead of Apple Event

Friday September 6, 2024 5:01 am PDT by
Apple is "shaking up its color palette" for its iPhone 16 lineup this year, according to well-connected Bloomberg reporter Mark Gurman. Early iPhone 16 Pro dummy models via Sonny Dickson According to Gurman, the iPhone 16 Pro models will come in a Gold Titanium to replace Blue Titanium, while the Black, White, and Natural Titanium options that debuted with the iPhone 15 Pro will remain...
Generic iOS 18 Feature Real Mock

iOS 18 Coming Later This Month With These 8 New Features

Tuesday September 3, 2024 12:07 pm PDT by
iOS 18 has been in beta testing for nearly three months, and the software update will finally be released for all compatible iPhones soon. Apple should reveal iOS 18's exact release date during its September 9 event, with the most likely possibility being Monday, September 16. Below, we have highlighted eight key new features included in iOS 18. Note that Apple Intelligence is not coming...
iPhone 16 Pro Mock Article

How Much Will the iPhone 16 Cost?

Friday September 6, 2024 5:43 am PDT by
Apple's next-generation iPhone 16 series is expected to launch on September 20 and will compete in a quickly evolving smartphone market, and with some notable upgrades rumored, the new models could see price changes compared to previous years. Successive iPhone models always come with new features and hardware upgrades, but Apple typically does not increase the retail prices as a result....
its glowtime event youtube

Report Details Last-Minute Apple Event Rumors About New iPhones, Apple Watches, and AirPods

Friday September 6, 2024 4:40 am PDT by
Bloomberg's Mark Gurman today shared his final expectations for Apple's "It's Glowtime" event, providing some new tidbits and clarifications about the new devices set to be announced on Monday. iPhone 16 Pro Along with larger 6.3- and 6.9-inch display sizes, the iPhone 16 Pro and iPhone 16 Pro Max will have bezels that are "now about a third slimmer" for a "sleeker overall look." The...
iOS 18 CarPlay Feature

iOS 18 Adds These 6 New Features to CarPlay

Tuesday September 3, 2024 12:59 pm PDT by
Apple did not mention CarPlay when it unveiled iOS 18 in June, but the update includes a handful of new features for the in-car iPhone system. iOS 18 includes some changes to the Messages app, Settings app, and Siri on CarPlay. The update should be widely released later in September. Below, we recap CarPlay's key new features on iOS 18. 1. Contact Photos in Messages App iOS 18 adds...
apple watch series 9 display

'Noticeably Thinner' Apple Watch Series 10 to Eventually Get Sleep Apnea Detection

Friday September 6, 2024 4:42 am PDT by
The Apple Watch Series 10 will include a new sleep apnea detection feature, but it may not be available as soon as the new model launches, according to Bloomberg's Mark Gurman. Sleep apnea detection, which builds on the watch's existing sleep tracking, will attempt to determine if a wearer has sleep apnea and then suggest further testing with a medical professional. Gurman had expressed...

Top Rated Comments

jonnysods Avatar
45 months ago
Get ready for lots of Justin Long Intel videos about this next week.
Score: 9 Votes (Like | Disagree)
Apple_Robert Avatar
45 months ago

Laughing on my Linux developer laptop.
What is so funny? It's not like Linux hasn't had Malware problems.
Score: 7 Votes (Like | Disagree)
I7guy Avatar
45 months ago
Comes under the heading, be very careful about what you download.
Score: 6 Votes (Like | Disagree)
hot-gril Avatar
45 months ago

Why is it being called a Trojan when it has to be actively installed?
Cause that's what trojans are.
Score: 5 Votes (Like | Disagree)
hot-gril Avatar
45 months ago

Comes under the heading, be very careful about what you download.
Xcode does warn you when opening an xcodeproj downloaded from the Internet, but given how frequently you legitimately have to open and build random projects, I wish there were better sandboxing. The "run script" phase runs arbitrary code, ofc necessary when building many things but also an attack vector.

Edit: And even if you're not manually opening/building projects, you're probably using Cocoapods, which is. Of course other dev platforms have similar risks.
Score: 4 Votes (Like | Disagree)
Unsupported Avatar
45 months ago

Why is it being called a Trojan when it has to be actively installed?
https://usa.kaspersky.com/resource-center/threats/trojans

A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. These actions can include:

•Deleting data
•Blocking data
•Modifying data
•Copying data
•Disrupting the performance of computers or computer networks


Modifying data?

So it could infect the project that the developer is working on?

Nasty!
Score: 3 Votes (Like | Disagree)