Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
66,324
35,378


Security researchers at Trend Micro have discovered a new kind of Mac malware which can "command and control" a target system.

xcode-6.png


The researchers described the malware, which is part of the XCSSET family, as "an unusual infection related to Xcode developer projects." The malware is unusual because it is injected into Xcode projects, and when the project is built, the malicious code is run. A developer's Xcode project was found to be able to contain the malware, which "leads to a rabbit hole of malicious payloads."

The discovery poses a significant risk for Xcode developers. Trend Micro identified developers affected by the malware who share their projects via GitHub, leading to a potential supply-chain attack for users who rely on repositories for their own projects. Google's VirusTotal scanning software managed to identify the malware, which indicates the threat is at large.

The malware spreads via infected Xcode projects because it can create maliciously modified applications. Specifically, the malware was found to be capable of abusing Safari and other browsers to steal data. It can use a vulnerability to read and dump cookies, create backdoors in Javascript, and in turn modify displayed websites, steal private banking information, block password changes, and steal newly modified passwords. It was also found to be able to steal information from apps such as Evernote, Notes, Skype, Telegram, QQ, and WeChat, take screenshots, upload files to the attacker's specified server, encrypt files, and display a ransom note.

Affected developers may unwittingly distribute the trojan to their users in the form of compromized Xcode projects and built applications. The malware is particularly dangerous because verification methods, such as checking hashes, would not identify infection as the developers would be unaware that they are distributing malicious files.

To protect against this type of threat, Trend Micro encourages users to only download apps from official marketplaces and consider multilayered security solutions.

Article Link: New Mac Malware Found to Infect via Xcode
 
Last edited:
Pulling an Xcode project file from github and running it through Xcode without examining it first sounds kind of risky in the first place.

Apple may be doing something to patch this soon, but it sounds like it could be a bit tricky, because there are legit reasons a developer could want some arbitrary commands in their project file to run at build time - the trick is separating your commands from their commands.
 
Waiting for App Store security comments.

Not sure how this will impact Apple silicon Mac, but I’d guess switching to ARM Mac provides very little impact on future malware development.
 
  • Like
Reactions: DeepIn2U and DVD9
I had a random update on my Mac Pro last night. Something to do with a developer update. I’m not stunning anything other than the latest Catalina. Looked legit. Wasn’t online and it came through software update I believe.
 
FWIW, the same concept can also be used to infect other development tools.

Build tools are getting more complicated. More often than not, make-files contain executable code (i.e. your garden-variety "./configure.sh" is an executable code). These can contain or download malware and embed them into whatever software that the tool is building.
 
Can someone explain this is amateur friendly language? Sorry, I am tech savy as a snorkler is a diver: I can do a lot, but cannot go in deep water and certainly not long time.

Is this somehow a good interpretation:

Some geeks would get code that is delivered on github, where one can download applications that are not delivered compiled? The person downloading the code would compile the app on his own computer by using XCode. Infected code would compile without hickups by XCode, and therewith create an application that is malicious. If not using Xcode, but CodeWarrior Pro 4, you might be lucky to not have the malware compiled with the benign code so to say, and not be compromised...

?

Also, just as we are in this field of more abstract matter: most of such applications without any user interface, run through the command line.. correct? Because, why would one otherwise need to compile such apps oneself?

Thanks for any pedagogic guidance :)
 
Is about time for Apple to fully lockdown macOS, too. Just like iOS 🤣 of course just to make it more secure... *cough*

/s
 
I am confused. doesn't Microsoft own Github? It's software can identify the problem code but not eliminate it? Is GitHub a problem then allowing malicious code to enter, what other surprises are in store. Last I used Github, I can't recall a lot of security preventing changes to code.
 
Pulling an Xcode project file from github and running it through Xcode without examining it first sounds kind of risky in the first place.
I understand your suggestion, but it is an impossible thing to do.

Sure, I can have a look at the initial code, but I rely on Swift Packages a lot. Xcode is configured to update Swift Packages to the latest minor revisions by default, and it happens on project opening. If one of my framework dependencies suddenly becomes infected, I will never know.

--

Apple has the biggest homework to do here, but they will probably work in partnership with GitHub, GitLab, etc. to identify the malicious files, if they all look alike it will be easy for them to delete them.
 
I am confused. doesn't Microsoft own Github? It's software can identify the problem code but not eliminate it? Is GitHub a problem then allowing malicious code to enter, what other surprises are in store. Last I used Github, I can't recall a lot of security preventing changes to code.

Vetting projects to ensure they are ‘safe’ on an ongoing basis is the wrong way to go. Plus, it would take an enormous amount of effort to do so. You can say goodbye to the free tier offerings for Gitlab, github etc, which would be an absolute shame.
 
Pulling an Xcode project file from github and running it through Xcode without examining it first sounds kind of risky in the first place.

I'm not 100% certain from the article wording if the project has to be built, or built and run.

Obviously running any code without understanding it is inherently risky (though it's not always practical to look into - and understand the effect of = every line of code in larger projects). Instinctively though, I'd be less wary of just building a project. I might well download a project and debug it with the intention of examining it by stepping through it.

But if the infection can happen during the build process (by some included build script), then it's already too late.
 
I understand your suggestion, but it is an impossible thing to do.

Sure, I can have a look at the initial code, but I rely on Swift Packages a lot. Xcode is configured to update Swift Packages to the latest minor revisions by default, and it happens on project opening. If one of my framework dependencies suddenly becomes infected, I will never know.

--

Apple has the biggest homework to do here, but they will probably work in partnership with GitHub, GitLab, etc. to identify the malicious files, if they all look alike it will be easy for them to delete them.

más I’m just starting to get used to the WYSIWYG part of using XCode, I may be wrong in even suggestion or thinking this. are not experienced XCode programmers not encouraged to review their code? In a similar way to K2 students are reminded on tests to prove how they got their answer to a question by reverse arithmetic? Just curious as I see so many labs that Apple alone has during WWDC and a few throughout the year.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.