Security Researchers Discover XcodeSpy Malware That Targets Developers

Developers need to look out for "XcodeSpy," a malicious Xcode project that installs a custom variant of the "EggShell" backdoor on a macOS computer, according to new research shared today by SentinelOne (via Ars Technica).

iu 2 1
Xcode is software designed for developers who want to write apps for the iOS and macOS platforms, and the malicious project that's circulating mirrors TabBarInteraction, a legitimate open source project.

Developers who download the XcodeSpy project think they're getting TabBarInteraction, but the malware includes a hidden "run Script" executable that downloads and installs the EggShell open source back door that's able to spy on users through the microphone, camera, and keyboard as well as upload and download files.

Two variants of the custom EggShell attack were found to be uploaded in Japan, first in August and then in October, so this is an attack that's been out in the wild for some time.

We have thus far been unable to discover other samples of trojanized Xcode projects and cannot gauge the extent of this activity. However, the timeline from known samples and other indicators mentioned below suggest that other XcodeSpy projects may exist. By sharing details of this campaign, we hope to raise awareness of this attack vector and highlight the fact that developers are high-value targets for attackers.

SentinelOne says that all Apple Developers that use Xcode should exercise caution when using shared Xcode projects.

Tag: Xcode

Top Rated Comments

jonnysods Avatar
16 months ago
Get ready for lots of Justin Long Intel videos about this next week.
Score: 9 Votes (Like | Disagree)
Apple_Robert Avatar
16 months ago

Laughing on my Linux developer laptop.
What is so funny? It's not like Linux hasn't had Malware problems.
Score: 7 Votes (Like | Disagree)
I7guy Avatar
16 months ago
Comes under the heading, be very careful about what you download.
Score: 6 Votes (Like | Disagree)
hot-gril Avatar
16 months ago

Why is it being called a Trojan when it has to be actively installed?
Cause that's what trojans are.
Score: 5 Votes (Like | Disagree)
hot-gril Avatar
16 months ago

Comes under the heading, be very careful about what you download.
Xcode does warn you when opening an xcodeproj downloaded from the Internet, but given how frequently you legitimately have to open and build random projects, I wish there were better sandboxing. The "run script" phase runs arbitrary code, ofc necessary when building many things but also an attack vector.

Edit: And even if you're not manually opening/building projects, you're probably using Cocoapods, which is. Of course other dev platforms have similar risks.
Score: 4 Votes (Like | Disagree)
Unsupported Avatar
16 months ago

Why is it being called a Trojan when it has to be actively installed?
https://usa.kaspersky.com/resource-center/threats/trojans

A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. These actions can include:

•Deleting data
•Blocking data
•Modifying data
•Copying data
•Disrupting the performance of computers or computer networks


Modifying data?

So it could infect the project that the developer is working on?

Nasty!
Score: 3 Votes (Like | Disagree)

Related Stories

apple security banner

Apple Outlines How It Will Notify Users Who Have Been Targeted by State-Sponsored Spyware Attacks

Tuesday November 23, 2021 8:15 pm PST by
Earlier today, Apple announced that it had filed suit against NSO Group, the firm responsible for the Pegasus spyware that has been used in state-sponsored surveillance campaigns in a number of countries. NSO Group seeks to take advantage of vulnerabilities in iOS and other platforms to infiltrate the devices of targeted users such as journalists, activists, dissidents, academics, and government...
powerdir exploit microsoft

Microsoft Discovered New 'Powerdir' macOS Vulnerability, Fixed in 12.1 Update

Monday January 10, 2022 9:17 am PST by
Microsoft's 365 Defender Research Team this morning published details on a new "Powerdir" macOS vulnerability that let an attacker bypass the Transparency, Consent, and Control technology to gain unauthorized access to protected data. Apple already addressed the CVE-2021-30970 vulnerability in the macOS Monterey 12.1 update that was released in December, so users who have updated to the...
Apple car wheel icon feature yellow

Apple Car Project Loses Three Key Engineers

Wednesday December 8, 2021 3:27 pm PST by
As Apple gears up to release a fully autonomous vehicle, it is continuing to lose key people who are working on the project, reports Bloomberg. Over the last several weeks, three engineers have departed the company. Apple's chief engineer for radar systems, Eric Rogers, left for Joby Aviation, a company working on electric aerial ridesharing. Alex Clarabut, an engineering manager for the...
apple open source site

Apple Launches Redesigned Open Source Website

Wednesday December 8, 2021 1:19 pm PST by
Apple today introduced a redesigned website for its Open Source projects, which houses Apple's open source work like Swift, WebKit, ResearchKit, FoundationDB, and more. The updated site can be found at opensource.apple.com. The site includes two main sections, including Featured Projects to showcase a selection of Apple's open source work, and a second section for Releases. The Featured...
macOS Monterey on MBP Feature

Apple Seeds Third macOS Monterey 12.3 Beta to Developers

Tuesday February 15, 2022 10:13 am PST by
Apple today seeded the third beta of an upcoming macOS macOS Monterey 12.3 update to developers for testing purposes, with the new software coming a week after the release of the second macOS Monterey 12.3 beta. Registered developers can download the beta through the Apple Developer Center and after the appropriate profile is installed, betas will be available through the Software Update...
Apple car wheel icon Kevin Lynch feature blue revamp

Kuo: Apple Car Team Must Be Reorganized Soon to Meet 2025 Production Goal

Tuesday March 15, 2022 7:24 am PDT by
Apple's team of employees working on the company's long-rumored electric vehicle has "been dissolved for some time," and must be reorganized soon in order for mass production of the vehicle to begin by 2025, analyst Ming-Chi Kuo said in a tweet today. Apple's electric vehicle plans have reportedly faced numerous setbacks since the project was approved in 2014, including several leadership...
macOS Monterey on MBP Feature

Apple Seeds Second macOS Monterey 12.3 Beta to Developers

Tuesday February 8, 2022 10:08 am PST by
Apple today seeded the second beta of an upcoming macOS macOS Monterey 12.3 update to developers for testing purposes, with the new software coming two weeks after the release of the first macOS Monterey 12.3 beta. Registered developers can download the beta through the Apple Developer Center and after the appropriate profile is installed, betas will be available through the Software Update...
TA21Q2DID0021 02 EN low

Porsche Considering 'Exciting' Joint Projects With Apple

Friday March 18, 2022 4:39 am PDT by
German carmaker Porsche has discussed undertaking joint projects with Apple, the company's CEO mentioned today in its annual press conference (via Reuters). Porsche CEO Oliver Blume said that the company has discussed "exciting common projects" with Apple, but it it is currently too soon to make any firm decisions on future projects. It is unclear exactly what the seemingly off-hand remark...

Popular Stories

iPhone 14 Purple Lineup Feature

Will the iPhone 14 Be a Disappointment?

Saturday May 21, 2022 9:00 am PDT by
With around four months to go before Apple is expected to unveil the iPhone 14 lineup, the overwhelming majority of rumors related to the new devices so far have focused on the iPhone 14 Pro, rather than the standard iPhone 14 – leading to questions about how different the iPhone 14 will actually be from its predecessor, the iPhone 13. The iPhone 14 Pro and iPhone 14 Pro Max are expected...
iPhone 13 Face ID

'High-End' iPhone 14 Front-Facing Camera to Cost Apple Three Times More

Monday May 23, 2022 7:05 am PDT by
The iPhone 14 will feature a more expensive "high-end" front-facing camera with autofocus, partly made in South Korea for the first time, ET News reports. Apple reportedly ousted a Chinese candidate to choose LG Innotek, a South Korean company, to supply the iPhone 14's front-facing camera alongside Japan's Sharp. The company is said to have originally planned to switch to LG for the iPhone...
iPhone 13 Always On Feature

iPhone 14 Pro Screen Refresh Rate Upgrade Could Allow for Always-On Display

Tuesday May 24, 2022 7:23 am PDT by
Last year's iPhone 13 Pro models were the first of Apple's smartphones to come with 120Hz ProMotion displays, and while the two iPhone 14 Pro models will continue to feature the technology, their screens could well boast expanded refresh rate variability this time round. To bring ProMotion displays to the ‌iPhone 13 Pro models‌, Apple adopted LTPO panel technology with variable refresh...
apple music

Apple Increases Apple Music Subscription Price for Students in Several Countries

Sunday May 22, 2022 1:57 am PDT by
Apple has silently increased the price of its Apple Music subscription for college students in several countries, with the company emailing students informing them their subscription would be slightly increasing in price moving forward. The price change is not widespread and, based on MacRumors' findings, will impact Apple Music student subscribers in but not limited to Australia, the...
EA Apple Maybe Feature

Apple Reportedly Talked With Electronic Arts About Potential Acquisition

Monday May 23, 2022 10:58 am PDT by
Apple is one of several companies that have held talks with Electronic Arts (EA) about a potential purchase, according to a new report from Puck. EA has spoken to several "potential suitors," including Apple, Amazon, and Disney as it looks for a merger arrangement. Apple and the other companies declined to comment, and the status of the talks is not known at this time, but Apple does have an ...
sony headphones 1

Sony's New WH-1000XM5 Headphones vs. Apple's AirPods Max

Friday May 20, 2022 12:18 pm PDT by
Sony this week came out with an updated version of its popular over-ear noise canceling headphones, so we picked up a pair to compare them to the AirPods Max to see which headphones are better and whether it's worth buying the $400 WH-1000XM5 from Sony over Apple's $549 AirPods Max. Subscribe to the MacRumors YouTube channel for more videos. First of all, the AirPods Max win out when it comes ...