A number of Xcode projects have been found to contain malware that could attack Safari and other browsers, security researchers have revealed, with the discovery of XCSSET malware making its way into Mac software projects through largely unknown means.
Researchers at Trend Micro discovered what the company described as “an unusual infection related to Xcode developer projects”, where malware would include it in the project itself. It was found that the malware has multiple possibilities for loadload, and although it is a potential risk for end users using software through Apple’s IDE, it actually seems to be a bigger problem for the developers themselves.
The malware, which is part of the XCSSET family, was found to include files suggesting that it could enable ‘command and control’ of a target system, namely that it would allow the attacker to attack the malware used to take control of the infected Mac. This allows a wide variety of actions to be performed on infected systems, including obtaining personal data and performing a ransomware-style attack that involves encryption.
The team suggests that the unusual nature of the malware comes from how it is distributed, namely that it is “injected into local Xcode projects, so that when the project is built, the malicious code is run.” It is unclear exactly how the code is currently being injected into the project.
For developers who rely on collaboration with others, Trend suggests that the threat becomes worse when considering projects shared through GitHub and other code repositories, as this can lead to a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects. ”
After installing, the malware is able to attack Safari and other browsers on the Mac to obtain useful user data. Discovered zero-day vulnerabilities include an issue with Data Vault overriding macOS ‘System Integrity Protection feature, as well as in Safari for WebKit development that creates a fake Safari app that replaces the legitimate version rint.
So far, the malware has only been found in two Xcode projects in research so far, with the projects thought not to be widely used by other developers, thus severely limiting the impact. A list of 380 IP addresses for victims was compiled by malware authors, with the vast majority of infections consisting of Macs in China and India.
Trend Micro advises project owners to “continue to check with tears the integrity of their projects to nip unjustified issues such as a malware infection in the future.”
.