A recently discovered form of Mac malware is being used to target software developers who use Apple’s Xcode development environment for macOS.
According to researchers at SentinelOne, XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer’s macOS computer along with a persistence mechanism.
“XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer’s macOS computer along with a persistence mechanism,” SentinelOne researchers said.
Once installed, those behind the malware gain access to the targeted computer, including the ability to record the victim’s microphone, camera and keyboard as well as upload and download files.
XcodeSpy involves a trojanized Xcode project: a repository of files, resources and information used to build a software project with Xcode being used to design apps for iOS, macOS, iPadOS, watchOS and tvOS.
The malicious project that includes the XcodeSpy malware is described as a doctored version of a legitimate, open-source project on Github that offers iOS developers several advanced features for animating the iOS Tab Bar based on user interaction.
For now, as is usually the case with malware, Sentinel One is advising developers to be more careful with Xcode projects that they download, especially those that are shared.
“While XcodeSpy appears to be directly targeted at the developers themselves rather than developers’ products or clients, it’s a short step from backdooring a developer’s working environment to delivering malware to users of that developer’s software,” the researchers say. “Consequently, all Apple developers are cautioned to check for the presence of malicious Run scripts whenever adopting third-party Xcode projects.”