Security Researchers Discover XcodeSpy Malware That Targets Developers
Developers need to look out for "XcodeSpy," a malicious Xcode project that installs a custom variant of the "EggShell" backdoor on a macOS computer, according to new research shared today by SentinelOne (via Ars Technica).
Xcode is software designed for developers who want to write apps for the iOS and macOS platforms, and the malicious project that's circulating mirrors TabBarInteraction, a legitimate open source project.
Developers who download the XcodeSpy project think they're getting TabBarInteraction, but the malware includes a hidden "run Script" executable that downloads and installs the EggShell open source back door that's able to spy on users through the microphone, camera, and keyboard as well as upload and download files.
Two variants of the custom EggShell attack were found to be uploaded in Japan, first in August and then in October, so this is an attack that's been out in the wild for some time.
We have thus far been unable to discover other samples of trojanized Xcode projects and cannot gauge the extent of this activity. However, the timeline from known samples and other indicators mentioned below suggest that other XcodeSpy projects may exist. By sharing details of this campaign, we hope to raise awareness of this attack vector and highlight the fact that developers are high-value targets for attackers.
SentinelOne says that all Apple Developers that use Xcode should exercise caution when using shared Xcode projects.
Related Stories
Earlier today, Apple announced that it had filed suit against NSO Group, the firm responsible for the Pegasus spyware that has been used in state-sponsored surveillance campaigns in a number of countries. NSO Group seeks to take advantage of vulnerabilities in iOS and other platforms to infiltrate the devices of targeted users such as journalists, activists, dissidents, academics, and government...
Microsoft's 365 Defender Research Team this morning published details on a new "Powerdir" macOS vulnerability that let an attacker bypass the Transparency, Consent, and Control technology to gain unauthorized access to protected data.
Apple already addressed the CVE-2021-30970 vulnerability in the macOS Monterey 12.1 update that was released in December, so users who have updated to the...
As Apple gears up to release a fully autonomous vehicle, it is continuing to lose key people who are working on the project, reports Bloomberg. Over the last several weeks, three engineers have departed the company.
Apple's chief engineer for radar systems, Eric Rogers, left for Joby Aviation, a company working on electric aerial ridesharing. Alex Clarabut, an engineering manager for the...
Apple today introduced a redesigned website for its Open Source projects, which houses Apple's open source work like Swift, WebKit, ResearchKit, FoundationDB, and more. The updated site can be found at opensource.apple.com.
The site includes two main sections, including Featured Projects to showcase a selection of Apple's open source work, and a second section for Releases.
The Featured...
Apple today seeded the third beta of an upcoming macOS macOS Monterey 12.3 update to developers for testing purposes, with the new software coming a week after the release of the second macOS Monterey 12.3 beta.
Registered developers can download the beta through the Apple Developer Center and after the appropriate profile is installed, betas will be available through the Software Update...
Apple's team of employees working on the company's long-rumored electric vehicle has "been dissolved for some time," and must be reorganized soon in order for mass production of the vehicle to begin by 2025, analyst Ming-Chi Kuo said in a tweet today.
Apple's electric vehicle plans have reportedly faced numerous setbacks since the project was approved in 2014, including several leadership...
Apple today seeded the second beta of an upcoming macOS macOS Monterey 12.3 update to developers for testing purposes, with the new software coming two weeks after the release of the first macOS Monterey 12.3 beta.
Registered developers can download the beta through the Apple Developer Center and after the appropriate profile is installed, betas will be available through the Software Update...
German carmaker Porsche has discussed undertaking joint projects with Apple, the company's CEO mentioned today in its annual press conference (via Reuters).
Porsche CEO Oliver Blume said that the company has discussed "exciting common projects" with Apple, but it it is currently too soon to make any firm decisions on future projects. It is unclear exactly what the seemingly off-hand remark...
Popular Stories
Last year's iPhone 13 Pro models were the first of Apple's smartphones to come with 120Hz ProMotion displays, and while the two iPhone 14 Pro models will continue to feature the technology, their screens could well boast expanded refresh rate variability this time round.
To bring ProMotion displays to the iPhone 13 Pro models, Apple adopted LTPO panel technology with variable refresh...
Leaker Jon Prosser today shared ostensibly accurate renders of the iPhone 14 Pro, providing the most accurate look yet at what the device could look like when it launches later this year.
In the latest video on YouTube channel Front Page Tech, Prosser revealed renders of the iPhone 14 Pro made by Apple concept graphic designer Ian Zelbo, highlighting a range of specific design changes...
With around four months to go before Apple is expected to unveil the iPhone 14 lineup, the overwhelming majority of rumors related to the new devices so far have focused on the iPhone 14 Pro, rather than the standard iPhone 14 – leading to questions about how different the iPhone 14 will actually be from its predecessor, the iPhone 13.
The iPhone 14 Pro and iPhone 14 Pro Max are expected...
The iPhone 14 will feature a more expensive "high-end" front-facing camera with autofocus, partly made in South Korea for the first time, ET News reports.
Apple reportedly ousted a Chinese candidate to choose LG Innotek, a South Korean company, to supply the iPhone 14's front-facing camera alongside Japan's Sharp. The company is said to have originally planned to switch to LG for the iPhone...
Apple today confirmed that the keynote event for the Worldwide Developers Conference will begin at 10:00 a.m. Pacific Time on June 6, the first day of WWDC. The keynote will be an online-only event, though a select number of developers have been invited to the Apple Park campus for a viewing event.
In addition to confirming the keynote date and time, Apple has shared the full WWDC 2022...
Apple today announced new Pride bands for the Apple Watch, with new Pride Edition Sport Loop and Pride Edition Nike Sport Loop options available.
The new Pride Edition bands are available to order today for $49 on Apple.com and in the Apple Store app, and will be available at Apple Store locations starting May 26. The Pride Edition Nike Sport Loop is also coming soon to Nike.com.
This...
Top Rated Comments
Edit: And even if you're not manually opening/building projects, you're probably using Cocoapods, which is. Of course other dev platforms have similar risks.
A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. These actions can include:
•Deleting data
•Blocking data
•Modifying data
•Copying data
•Disrupting the performance of computers or computer networks
Modifying data?
So it could infect the project that the developer is working on?
Nasty!