Malware Injected Into Xcode Projects Could Infiltrate Mac App Store

[MacRumors]

Last week, we reported on a severe new kind of Mac malware that has been found to infect via Xcode, discovered by security researchers at Trend Micro.

In an exclusive interview with MacRumors, the security researchers behind the discovery, Oleksandr Shatkivskyi and Vlad Felenuik, have provided more information about their research.

The malware, which is part of the XCSSET family, is "an unusual infection" that is injected into Xcode projects. When the project is built, the malicious code is run. This can lead to "a rabbit hole of malicious payloads," and poses a significant risk to Mac users.

Specifically, the malware was found to be capable of abusing Safari and other browsers to steal data. It can use a vulnerability to read and dump cookies, create backdoors in JavaScript, and in turn modify displayed websites, steal private banking information and passwords, and block password changes. It was also found to be able to steal information from apps such as Evernote, Notes, Skype, Telegram, QQ, and WeChat, take screenshots, upload files to the attacker's specified server, encrypt files, and display a ransom note.

Shatkivskyi and Felenuik told MacRumors that they believe the XCSSET malware will become extremely common among bad actors who seek to exploit Mac systems. The malware is particularly dangerous because verification methods, such as checking hashes, would not identify infection. It was found to be present in projects shared on GitHub. This means that developers who rely on repositories could face a supply-chain attack and be unaware that their project has become infected.

Xcode projects infected with the malware can create maliciously modified applications, unbeknownst to the developers who make the apps, and may then distribute them as trojans. Shatkivskyi and Felenuik believe that the Mac App Store review team will be largely unable to detect apps that contain the XCSSET malware. "As an iOS developer I know how easy it is to fool them and release an app with hidden features," Shatkivskyi said.

Shatkivskyi and Felenuik first approached Apple about the issue as early as December 2019, and they hope that Apple will be decisive and swift in its response to resolving the vulnerability. They suggest that Apple could implement privacy notifications, the likes of which came to iOS 14 and iPadOS 14, to alert Mac users when the malware is active on their systems, in an effort to explicitly alert users to a potential breach.

Shatkivskyi and Felenuik did not have access to a Mac Developer Transition Kit with Apple Silicon for testing, but they believe "there is no doubt that the malware will work" on Macs running Apple Silicon. In spite of the severity of the XCSSET malware, they maintain that macOS is a safe operating system and are optimistic about the future of combating malware.

"Apple have some work to do, but still macOS is the most secure platform available. I am delighted by how Apple stands for privacy. However, I am sure that malware development will get almost impossible in the future. But it has nothing to do with the Mac transition to Apple silicon."

Going forward, the researchers caution Mac users to be alert for unusual activity with permission alerts. Any repeated or suspicious notifications asking for permissions on macOS may be an indication of an infection. Trend Micro encourages users to consider multilayered security solutions.

"In order to stay safe, you have to be somewhat paranoid. Don't allow any app to record your screen. Also, pay attention to what is running on your Mac. I never use any pirated software due to its insecurity, I use only licensed ones," Shatkivskyi said.

The pair continue to actively research other threats to macOS.

Article Link: Malware Injected Into Xcode Projects Could Infiltrate Mac App Store

 

[TheYayAreaLiving 🎗️]

Uh oh. This is not going to be good.

 

[DeepIn2U]

Hmm. Makes you wonder the timing of this XCSSET malware (XCSSET malware will become extremely common among bad actors who seek to exploit Mac systems). Is this related to the recent onslaught against the App Store?

Will Apple advise their bigger and smaller coders?
What are App Store coders doing to avoid such malware within Github repository? Lots of reference code is shared, and used there.

Will there be a specific benefit to Apple Silicon SoC that can protect against such malware?

 

[macfacts]

This is what your 30 percent buys

 

[ouimetnick]

So much for the 30% cut Apple takes to ensure the App Store is the SAFEST place to download 3rd party apps. 🙄

 

[Wildkraut]

Apples AppStore solely exists for security reasons, they have reviewers and censorship, you’re fine and safe! 🤣

Let me cry out for you, LOCKDOWN THE MAC! \o/

 

[EvilEvil]

So much for Apple's robust security.

 

[perlstein]

I sorta think this happened to me I was installing some software, Kite, and got a bunch of weird pop ups about X Code installing... what can I do to make sure I haven't been compromised?

 

[ian87w]

This is what your 30 percent buys

And people want alternative app stores....

 

[MaxinMusicCity]

No computer or device on the planet is hack-proof. Not even Apple

 

[I7guy]

So this is a third party library that carries malware?

 

[I7guy]

This is what your 30 percent buys

My 30%. Since when is it 30% to download an app?

 

[rjp1]

Apple requesting Epic to resubmit Fortnite without the direct payment option just goes to show how much of a joke the walled garden approach is in reality. If they need to resubmit it without that option, then that means they submitted with that option, which means Apple let through an app with a security issue (they seem to think they are the only one that can process payments securely). So why hasn’t Apple apologized for their mistake here?

Expect a lot more now with this malware...

 

[ArPe]

Bit of ignorance on the researcher’s part.

When Apple vets a submitted app they check the application and system logs for behaviour like this.

Jobs already mentioned this process many years ago ‘Developers tell us the app does one thing and we find out it does something else.’

Apps downloaded outside the App Store are risky, especially if they are unsigned.

 

[cmaier]

So much for the 30% cut Apple takes to ensure the App Store is the SAFEST place to download 3rd party apps. 🙄

Not one person has downloaded an app with this infection. Seems like apple is doing its job.

 

[rjp1]

My 30%. Since when is it 30% to download an app?

Since the third app store came into existence on iOS. The first 2 - Installer.app and Cydia didn't charge 30%, but then Apple "invented" the App Store a year later!

 

[EmotionalSnow]

This is what your 30 percent buys

If you thought absolute security is possible, then you let yourself be fooled by marketing

So much for the 30% cut Apple takes to ensure the App Store is the SAFEST place to download 3rd party apps. 🙄

Even the safest system is not free of malware

 

[I7guy]

Since the third app store came into existence on iOS. The first 2 - Installer.app and Cydia didn't charge 30%, but then Apple "invented" the App Store a year later!

The last time I downloaded an app I paid 30% of $0 is what you are telling me? As a consumer I care less about app store fees, but as a MR poster, I'll participate in the discussion.

edit: App store concepts go back to the 90's but Apple had a great idea in the ios app store, regardless of whether they copied a process or not.

 

[RONS67]

As Microsoft owns github.com, I have every reason to believe this problem will be resolved very quickly.
/s

 

[GeoStructural]

So much for Apple's robust security.

The App Store is there to protect everyone. Apple's core is privacy. Macs cannot catch viruses. The review process is strict and the same for everyone. Hahahaha.

I still think the App Store review process is weak. Many apps are loaded with trackers that Apple just lets slip through. They care about stupid stuff like "shaking (to undo/report/whatever)" function or "embracing the notch" and not so much about security as they claim.

I also remember when they conveniently took an exaggerated amount of time to approve Google Maps when they were releasing Apple Maps.

[automerge]1598283782[/automerge]

edit: App store concepts go back to the 90's but Apple had a great idea in the ios app store, regardless of whether they copied a process or not.

Steve Jobs was opposed to the App Store, it took a lot of convincing for him to leave his stubbornness out. Now look at how much it is growing on those pie charts.

As Microsoft owns github.com, I have every reason to believe this problem will be resolved very quickly.
/s

Except Microsoft has nothing to do with this. It is like blaming WordPress for grammar mistakes in someone's blog.

 

[Sasparilla]

Apple requesting Epic to resubmit Fortnite without the direct payment option just goes to show how much of a joke the walled garden approach is in reality. If they need to resubmit it without that option, then that means they submitted with that option, which means Apple let through an app with a security issue (they seem to think they are the only one that can process payments securely). So why hasn’t Apple apologized for their mistake here?

Expect a lot more now with this malware...

This article has nothing to do with Epic and their battle with Apple (and Google).

WRG to what you said though - the App store doesn't actually deploy the huge files / updates that Fortnite used. The app you get for Fortnite in the App store is a small launcher that then downloads the actual game and its updates directly from Epic. Have no idea how this came to be.

This was why it came as a surprise to Apple when Epic directly deployed an update to iOS Fortnite users without the App store purchase connections in it. Presumably they weren't looking for Epic to drop that out of their code in a weekly update.

 

[rjohnstone]

As Microsoft owns github.com, I have every reason to believe this problem will be resolved very quickly.
/s

It's not Microsoft's responsibility to scan and validate every piece code uploaded to GitHub.
It is the responsibility of every developer to inspect and validate any third party code they choose to incorporate into their app.

 

[btrach144]

This is just getting started. So much for Apple keeping the store safe.

 

[NightFox]

As Microsoft owns github.com, I have every reason to believe this problem will be resolved very quickly.
/s

github is a code repository, not a code store.

 

[DeepIn2U]

UNSIGNING IOS versions should be illegal, restraint of trade! I buy a car and I cannot put a different radio in it?
This is the ONE single thing that Apple should have been sued over but not so far. It cost me over 25 games that worked and then didn't because Apple forced me to upgrade.

This issue did NOT cost you over 25 games! Stop whining and incorrectly inferring things that are irrelevant beyond your comprehension. If an application has suspect malware as stated in the article - this has nothing to do with Apple.

Unsigning iOS version - this is related to Cydia and hacked iOS OS ... for which Apple has been VERY quick to no longer sign since releasing new updated iOS versions. Meaning Cydia cannot load onto older unsigned versions. Seems like you're VERY confused there. This is NOT related to putting a radio in your car.

This is more like your car's MMI or system that controls: Fuel Mixture, Variable Valve Timing, checking emissions output, checking tire pressure (on high-end luxury/supercars), checking engine/oil/water temperatures, checking transmission fluid temperature, checking light indicators and lights, checking break pedal pressure to be applied to braking, etc etc etc! You're talking about an OS and VERY few people today, using an ODB II adapter and an application on PC or their phone KNOW how to access the application or how to change settings (like daytime running lights - which lights are on like turn-signal indicators or not). It's there but once the OS/Firmware is signed and distributed YOU cannot swap out a component on your CAR ~ regardless of what you believe! You can update the fuel injection and timing parameters, but unless you're a coder and have knowledge of HOW to swap out this system or other components YOU buddy cannot swap it out. BEST believe when you do and it's failed or has seriously incorrect mixture and polluting on the road and you're pulled over ... YOU"RE legally responsible for it ... NOT your manufacturer and thus YOU'VE voided your warranty ... JUST like Apple states you've voided your warranty if you hack iOS to use Cydia and other hacks on your iPhone if you try to make a warranty claim!

SO ... again Stop incorrectly inferring things that are not relevant.

So much for the 30% cut Apple takes to ensure the App Store is the SAFEST place to download 3rd party apps. 🙄

There is NO fee related to Apple or the iOS App Store to access Github's repository of code for anyone/developers/end users to peruse.

Thus far the App Store has NOT been hacked. Pretty safe for several years. If a developer intentionally or unintentionally implemented rogue code affecting users that's not Apple's fault and they've proven quite well how quickly they respond to applying a solution - weather it's working with developers or pausing downloads or removing the app so it's not downloading and advising developers to relook at their code and upload new app without the rogue code. Now let's compare that to Android's history within the Play Store ... I'll break out the popcorn on that and enjoy the laughs as they've continually failed even for months at a time before correcting the issue. Nobody is perfect yet Apple has done an above average and leading the way with their performance.

Since the third app store came into existence on iOS. The first 2 - Installer.app and Cydia didn't charge 30%, but then Apple "invented" the App Store a year later!

Did Cydia exist before Apple's App Store? Either way at least it's a choice - yet those that delve have a higher risk to accept in doing so. Sure Cydia doesn't charge 30% and that's their choice. Cydia doesn't have a contract to developers uploading there do they? Do they have specific rules to prevent certain apps or code or anything? Is there any concern of Cydia's practices to the end user related to its App Store?