XCodeSpy malware targets developers using Apple’s Xcode software

A recently discovered form of Mac malware is being used to target software developers who use Apple Inc.’s Xcode development environment for macOS.

Detailed today by researchers at SentinelOne, XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer’s macOS computer along with a persistence mechanism. Once installed, those behind the malware gain access to the targeted computer, including the ability to record the victim’s microphone, camera and keyboard as well as upload and download files.

XcodeSpy involves a trojanized Xcode project. An Xcode project is a repository of files, resources and information used to build a software project with Xcode being used to design apps for iOS, macOS, iPadOS, watchOS and tvOS. The malicious project that includes the XcodeSpy malware is described as a doctored version of a legitimate, open-source project on Github that offers iOS developers several advanced features for animating the iOS Tab Bar based on user interaction.

The vector for infection, however, is not clear. The SentinelOne researchers found a victim in the U.S. who reported that they were repeatedly targeted By North Korea. Two uploaded samples for XcodeSpy were also found in VirusTotal, both having been uploaded via a web interface in Japan in August and October.

Possible distribution paths could include fake promotion on git repositories although given the possible targeted nature of the few known victims, the path to infection may have been through social engineering or phishing attacks.

“While XcodeSpy appears to be directly targeted at the developers themselves rather than developers’ products or clients, it’s a short step from backdooring a developer’s working environment to delivering malware to users of that developer’s software,” the researchers said.

This is not the first time developers using Xcode have been targeted. Back in 2015 a malicious program dubbed XcodeGhost appeared in Apple’s App Store. The code, a repackaged version of Xcode itself, was downloaded multiple times and resulted in third-party apps also being infected as developers were tricked into using the XcodeGhost version of Xcode.

Photo: Terren in Virginia/Flickr

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.