Security researchers are warning of a new malware piece specifically targeting iOS developers. Known as XcodeSpy, the malware is a trojanized version of a legitimate app.
XcodeSpy: Trojanized Xcode Project Targeting iOS Developers
Sentinel Labs researchers recently became aware of a trojanized Xcode project targeting iOS devs. The project is a malicious version of a legitimate, open-source project available on GitHub, enabling iOS programmers to use several advanced features for animating the iOS Tab bar.
According to Sentinel Labs report, XcodeSpy has been changed to execute an obfuscated Run Script once the developer’s build target is launched. The script’s purpose is to contact the attackers’ command-and-control server, and drop a custom variant of the EggShell backdoor on the machine. To achieve persistence on the infected host, the malware installs a user Launch Agent. The malware can also record information from the microphone, camera, and keyboard.
“The XcodeSpy infection vector could be used by other threat actors, and all Apple Developers using Xcode are advised to exercise caution when adopting shared Xcode projects,” the researchers warned in their report.
Two variants of the payload discovered
The researchers discovered two variants of the backdoor payload, both containing a number of encrypted command-and-control URLs and encrypted strings for various file paths. “One encrypted string in particular is shared between the doctored Xcode project and the custom backdoors, linking them together as part of the same ‘XcodeSpy’ campaign,” Sentinel Labs said.
Furthermore, the XcodeSpy malware can abuse a built-in feature of Apple’s IDE allowing developers to run a custom shell script. The technique can be identified easily; however, inexperienced developers may not be aware of the Run Script feature putting them at risk to execute the malicious script.
At least one US organization has been targeted by these attacks. Apple developers in Asia may also be at risk.
Samples of the backdoors were uploaded to VirusTotal on August 5 and October 13 last year, while the XcodeSpy malware was first uploaded on September 4. Sentinal Labs, however, believe that the attackers may have uploaded the samples to test detection rates.
In 2019, a the XcodeGhost malware was detected in the wild. It also was a modified version of a real development environment, designed to appear just like the real program without giving out any signs that it was a dangerous strain.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: