UPDATED 21:57 EST / MARCH 18 2021


XCodeSpy malware targets developers using Apple’s Xcode software

A recently discovered form of Mac malware is being used to target software developers who use Apple Inc.’s Xcode development environment for macOS.

Detailed today by researchers at SentinelOne, XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer’s macOS computer along with a persistence mechanism. Once installed, those behind the malware gain access to the targeted computer, including the ability to record the victim’s microphone, camera and keyboard as well as upload and download files.

XcodeSpy involves a trojanized Xcode project. An Xcode project is a repository of files, resources and information used to build a software project with Xcode being used to design apps for iOS, macOS, iPadOS, watchOS and tvOS. The malicious project that includes the XcodeSpy malware is described as a doctored version of a legitimate, open-source project on Github that offers iOS developers several advanced features for animating the iOS Tab Bar based on user interaction.

The vector for infection, however, is not clear. The SentinelOne researchers found a victim in the U.S. who reported that they were repeatedly targeted By North Korea. Two uploaded samples for XcodeSpy were also found in VirusTotal, both having been uploaded via a web interface in Japan in August and October.

Possible distribution paths could include fake promotion on git repositories although given the possible targeted nature of the few known victims, the path to infection may have been through social engineering or phishing attacks.

“While XcodeSpy appears to be directly targeted at the developers themselves rather than developers’ products or clients, it’s a short step from backdooring a developer’s working environment to delivering malware to users of that developer’s software,” the researchers said.

This is not the first time developers using Xcode have been targeted. Back in 2015 a malicious program dubbed XcodeGhost appeared in Apple’s App Store. The code, a repackaged version of Xcode itself, was downloaded multiple times and resulted in third-party apps also being infected as developers were tricked into using the XcodeGhost version of Xcode.

Photo: Terren in Virginia/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy