UPDATED 21:57 EDT / MARCH 18 2021

SECURITY

XCodeSpy malware targets developers using Apple’s Xcode software

A recently discovered form of Mac malware is being used to target software developers who use Apple Inc.’s Xcode development environment for macOS.

Detailed today by researchers at SentinelOne, XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer’s macOS computer along with a persistence mechanism. Once installed, those behind the malware gain access to the targeted computer, including the ability to record the victim’s microphone, camera and keyboard as well as upload and download files.

XcodeSpy involves a trojanized Xcode project. An Xcode project is a repository of files, resources and information used to build a software project with Xcode being used to design apps for iOS, macOS, iPadOS, watchOS and tvOS. The malicious project that includes the XcodeSpy malware is described as a doctored version of a legitimate, open-source project on Github that offers iOS developers several advanced features for animating the iOS Tab Bar based on user interaction.

The vector for infection, however, is not clear. The SentinelOne researchers found a victim in the U.S. who reported that they were repeatedly targeted By North Korea. Two uploaded samples for XcodeSpy were also found in VirusTotal, both having been uploaded via a web interface in Japan in August and October.

Possible distribution paths could include fake promotion on git repositories although given the possible targeted nature of the few known victims, the path to infection may have been through social engineering or phishing attacks.

“While XcodeSpy appears to be directly targeted at the developers themselves rather than developers’ products or clients, it’s a short step from backdooring a developer’s working environment to delivering malware to users of that developer’s software,” the researchers said.

This is not the first time developers using Xcode have been targeted. Back in 2015 a malicious program dubbed XcodeGhost appeared in Apple’s App Store. The code, a repackaged version of Xcode itself, was downloaded multiple times and resulted in third-party apps also being infected as developers were tricked into using the XcodeGhost version of Xcode.

Photo: Terren in Virginia/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.