XCSSET: Mac malware infects Xcode projects | heise online

A new malware seems to target developers who work with Apple’s programming environment Xcode. A security company has discovered a malware classified as unusual that can nestle in Xcode projects: The malicious code is “injected” into local Xcode projects on the Mac and apparently executed as soon as the software is compiled.

She then tried to use two 0-day exploits to manipulate the browser used by the user – including specifically the developer version of Safari – and to access access data; she also wanted to read all cookies from Safari.

The malware embeds itself in Xcode projects in a hidden folder.

(Image: Trend Micro)

The malware named XCSSET can also take screenshots and read data from apps such as Notes, Evernote, Skype, Telegram and WeChat. Ransomware functions for encrypting files are also integrated and can be armed on the server, the security company Trend Micro outlines in its analysis.

More from Mac & i

More from Mac & i

It seems particularly problematic that the malware can spread over already infected Xcode projects if these are made available via Github. Several developers affected by the malware have been identified who have made their Xcode projects available to third parties via the online platform, writes the security company – the malware appears to be in the wild. The original source of the pest is still unknown. During the investigation of the attackers’ Command & Control server, a list of collected IP addresses of 380 victims was found, the majority of whom are China (152) and India (103).

Xcode developers should “triple check” the integrity of their projects to avoid infection, according to Trend Micro. The development with Xcode is increasing rapidly, so it is not surprising that attackers are targeting it. Apple claims to have over 20 million registered developers, and Xcode is used to write Mac and iOS software.


To home page

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!