New Malware on Mac: Spread through Xcode Project
Security researchers revealed that many Xcode projects have been found to contain malware that can attack Safari and other browsers, while the discovery of XCSSET malware caused their entrance into Mac software projects through unknown means.
Trend Micro Researchers discovered what the company described as an “exceptional infection related to the Xcode developer project,” where the malware integrates itself into the project itself. The malware was found to have multiple payload possibilities. Although it poses a potential risk to end users using software developed through Apple IDE, it actually seems to be a bigger problem for developers.
The malware is part of the XCSSET family. It was found to contain files that could enable “command and control” of the target system, that is, it would allow the attacker using the malware to control the infected Mac, thereby allowing various operations on the infected system, including obtaining personal data and Performing ransomware-style attacks involving encryption.
The team believes that the unusualness of the malware lies in its distribution method, which is “injected into the local Xcode project so that the malicious code can be run when the project is built.” It is still not clear how the coded was injected into the project.
For developers who rely on the collaboration with others, Trend Micro believes that the threat would be more serious when projects are shared through GitHub and other code repositories. Because this may lead to “users who rely on these repositories suffer attacks similar to the supply chain and become dependencies in their own projects.”
After installation, the malware can attack Safari and other browsers on the Mac to obtain valuable user data. The zero-day vulnerabilities discovered included data Vault issues that bypassed the system integrity protection feature of macOS, and vulnerabilities that were created in Safari for WebKit Development to run fake Safari applications instead of legitimate versions.
So far, the malware has only been discovered in the two Xcode projects through research. These projects are considered not widely used by other developers, thus limiting the adverse effects.