UPDATED 21:57 EDT / MARCH 18 2021


XCodeSpy malware targets developers using Apple’s Xcode software

A recently discovered form of Mac malware is being used to target software developers who use Apple Inc.’s Xcode development environment for macOS.

Detailed today by researchers at SentinelOne, XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer’s macOS computer along with a persistence mechanism. Once installed, those behind the malware gain access to the targeted computer, including the ability to record the victim’s microphone, camera and keyboard as well as upload and download files.

XcodeSpy involves a trojanized Xcode project. An Xcode project is a repository of files, resources and information used to build a software project with Xcode being used to design apps for iOS, macOS, iPadOS, watchOS and tvOS. The malicious project that includes the XcodeSpy malware is described as a doctored version of a legitimate, open-source project on Github that offers iOS developers several advanced features for animating the iOS Tab Bar based on user interaction.

The vector for infection, however, is not clear. The SentinelOne researchers found a victim in the U.S. who reported that they were repeatedly targeted By North Korea. Two uploaded samples for XcodeSpy were also found in VirusTotal, both having been uploaded via a web interface in Japan in August and October.

Possible distribution paths could include fake promotion on git repositories although given the possible targeted nature of the few known victims, the path to infection may have been through social engineering or phishing attacks.

“While XcodeSpy appears to be directly targeted at the developers themselves rather than developers’ products or clients, it’s a short step from backdooring a developer’s working environment to delivering malware to users of that developer’s software,” the researchers said.

This is not the first time developers using Xcode have been targeted. Back in 2015 a malicious program dubbed XcodeGhost appeared in Apple’s App Store. The code, a repackaged version of Xcode itself, was downloaded multiple times and resulted in third-party apps also being infected as developers were tricked into using the XcodeGhost version of Xcode.

Photo: Terren in Virginia/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.