XcodeSpy Malware

The XcodeSpy Malware

Threat actors have recently been using a new way of attacking Apple platform developers, security researchers report. According to the revealed information, attackers have been exploiting Xcode, (Apple’s macOS integrated development environment (IDE) used to build macOS, iOS, iPadOS, watchOS, and tvOS applications)  to target numerous Apple developers and researchers.

The trojanized Xcode project, has been nicknamed “XcodeSpy” and is imitating an edition of a legal open source project that is accessible in the GitHub, named TabBarInteraction. The latter is a popular project utilized by developers for the animation of iOS tab bars based on user interaction.

According to researchers, XcodeSpy incorporates an EggShell backdoor version on the macOS developer’s machine along with a mechanism for persistence that prevents its detection and removal.

Aside from that, XcodeSpy includes a falsified Run Script, which is run when the developer launches its build target. The role of this script is to contact a server that is managed by the intruder in order to find a custom EggShell backdoor version on the development machine.

The EggShell backdoor in turn gives the ability of the attacker to record details from the microphone, monitor the victim from the camera, and keep an eye on the keyboard keystrokes.

Security specialists explain that, in general, this method of exploiting the built-in feature of Apple’s IDE is very easy to detect, as long as you look for it. However, inexperienced and new developers who are not very familiar with the capabilities of the Run Script can be exposed to danger, more so since there is no indicator of maliciously executed scripts on the console and the debugger.

Two versions of the EggShell payload have been identified by researchers between August and October 2020. Further hints point to the use of this malicious campaign in the period between July and October 2020 by one unidentified US company. However, there is a high probability that other developers in Asia have been attacked.

This is not the first time Xcode executables have been used to incorporate malicious code into iOS apps without the knowledge of the developers. Previously detected threats like XCodeGhost have been known to do that and then allow the malicious actors to collect data from the devices that have downloaded and installed the infected apps from the App Store. XcodeSpy, in particular, seems to aim to strike developers themselves, but the end goal behind the exploitation is not yet apparent.