iOS developer Macs are facing significant attacks

News
By published

New malicious Xcode project installs the EggShell backdoor on developers' Macs

Glasses in front of computer screen
(Image credit: Kevin Ku / Pexels)

Researchers from the cybersecurity firm SentinelOne have discovered a trojanized code library that is being used in the wild to try and install surveillance malware on to the Macs of developers creating apps for iOS.

As reported by Ars Technica, the campaign exploits Apple's Xcode developer tool for iOS and macOS and the attacker responsible created a malicious project using the tool in order to spread malware. However, the project itself was a copy of a legitimate open source project called TabBarInteraction that helps developers animate tab bars in iOS. 

The fake version of TabBarInteraction also included an obfuscated script called a “Run Script” which is executed whenever a developer build is launched. This script contacts a server controlled by the attacker to download and install a custom version of the open source backdoor EggShell which is used to spy on users through their microphone, camera and keyboard.

XcodeSpy

The researchers at SentinelLabs have given the trojanized project the name XcodeSpy as it exploits Apple's Xcode to make it possible for an attacker to spy on other Mac users.

Two variants of the customized EggShell backdoor dropped by the trojanized project have been discovered so far and both were uploaded to VirusTotal for further investigation. The first sample was uploaded in August of last year while the second one was uploaded in October.

In a new blog post detailing the firm's discovery, threat researcher at SentinelOne, Phil Stokes explained that there could be other XcodeSpy projects out there, saying:

“We have thus far been unable to discover other samples of trojanized Xcode projects and cannot gauge the extent of this activity. However, the timeline from known samples and other indicators mentioned below suggest that other XcodeSpy projects may exist. By sharing details of this campaign, we hope to raise awareness of this attack vector and highlight the fact that developers are high-value targets for attackers.”

To avoid falling victim to XcodeSpy, developers should exercise caution when downloading and installing new open source projects.

Via Ars Technica

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
Ransomware
Microsoft spies a new and worrying macOS malware strain
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Illustration of a laptop with a magnifying glass exposing a beetle on-screen
This devious macOS malware is evading capture by using Apple's own encryption
North Korean flag with a hooded hacker
North Korean hackers are posing as software development recruiters to target freelancers
A person in a wheelchair working at a computer.
Why betting on Mac security could put your organization at risk
Android phone malware
Screen reading malware found in iOS app stores for first time - and it might steal your cryptocurrency
Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in News
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
A fresh Samsung Galaxy S25 Edge leak hints at a 2K display and a titanium frame
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
More about security
An abstract image of digital security.

Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft

"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
iFi iDSD Valkyrie in gold, on a beige desk

iFi's iDSD Valkyrie DAC wants to guide your music to the great hall of Valhalla

See more latest
Most Popular
iFi iDSD Valkyrie in gold, on a beige desk
iFi's iDSD Valkyrie DAC wants to guide your music to the great hall of Valhalla
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
A fresh Samsung Galaxy S25 Edge leak hints at a 2K display and a titanium frame
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
SDUNITED AX835-025FF mini PC
This mini PC with the incredible Strix Halo APU is yet another sign AMD may have given up on big brands for bleeding edge tech
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Dell Pro Max with GB300
HP and Dell's latest Nvidia powered PCs are likely to be some of the most expensive workstations ever launched
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns