Cybercriminals use malicious Xcode project to target Mac developers

Security researchers found a trojan horse hidden in an Xcode project on GitHub.
Graphic: Ed Hardy/Cult of Mac

Turns out you can’t trust everything you find on GitHub. Security researchers found an Xcode project that had been modified to install a back door into the user’s Mac.

Xcode is the tool developers use to create software for all Apple computers, including Macs and iPhones. And many devs turn to open-source code found on GitHub to save themselves from having to reinvent the wheel, metaphorically speaking.

Turns out there are risks of doing that. SentinelLabs was tipped to an Xcode project that had been turned into a trojan horse and posted on GitHub. Some cybercriminal had taken a real open-source project and modified it for their own nefarious purpose then submitted it to this code repository.

The malware installs a custom version of the EggShell backdoor on the developer’s Mac. That gives the hacker access to the computer’s camera, keystrokes and microphone. To be clear, the malware could not install the back door into applications written by the developer.

Number of malware Xcode projects is unknown

SentinelLabs was only able to find one Xcode project on GitHub that had been made into a trojan horse. “However, the timeline from known samples and other indicators suggest that other XcodeSpy projects may exist,” warns Phil Stokes from SentinelLabs. “By sharing details of this campaign, we hope to raise awareness of this attack vector and highlight the fact that developers are high-value targets for attackers.”

The researchers provide more details about the malware on the SentinelOne website.

It’s not surprising that something like this would be created in 202o. Last year saw a truly dramatic rise in macOS malware.