Researchers at Trend Micro discovered various Xcode projects that contain malware that can attack and takeover Safari and other browsers.
According to Apple Insider, Xcode is the integrated development environment (IDE) used for app and software production on Mac. It is primarily used for the development of apps within a wide range of operating systems like iOS, macOS, iPadOS, watchOS, and tvOS. The IDE is free to download by developers and used in creating apps for iPhone and iPad as well as Mac programs.
Xcode can also be used for writing source code in various languages for other projects. Moreover, it allows developers to compile apps that can be used on different devices and operating systems.
The malware found by Trend Micro security team was under the XCSSET family, which merges files and appears to take over the target system by enabling a "command and control" over the infected Mac. This would allow the attacker to access infected systems and perform various actions. This may involve obtaining personal information, encryption, and executing ransomware.
This is "an unusual infection" where the malware incorporates itself into Xcode developer projects. Aside from potentially compromising user's data, the malware has bigger risks on developers as it could have multiple payload possibilities. Once installed on the system, the malware attacks Safari and other browsers to acquire useful user data on the Mac.
According to their study, the malware's distribution process is unique as it is being "injected into local Xcode projects," so the malicious code will run when the project is built. However, researchers still have not confirmed how the code is being injected into Xcode projects.
Currently, the team suggests that the malware has severely limited impact as it has only been found in two Xcode projects, which are not widely used by other developers. These include the Safari for WebKit Development that creates a fake Safari app that runs instead of the legitimate version as well as the Data Vault, which bypasses macOS' System Integrity Protection feature. The malware authors allegedly have collected 380 victim IP addresses, mostly from Macs in China and India.
What can we do?
Researchers from Trend Micro suggest that project developers must continuously check their projects' integrity to avoid malware infection and other unwarranted problems in the future.
For developers who rely on collaborating with others, Trend Micro suggests the threat is worse when taking into account projects being shared via GitHub and other code repositories, as this could lead to "a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects."
The Xcode IDE
Xcode was launched in 2003 for Mac OS X 10.3 Panther. It is based on an IDE called Project Builder, which is created by NeXT for the NeXTSTEP OS. It was given a new user interface to make it more applicable to Mac software development.
Aside from writing codes and designing the user interface, Xcode is also used to submit the developed app to the App Store. Xcode is currently on version 11.3 and is available to download for free from the Mac App Store for all macOS users. However, it would require an Apple Developer Program subscription, which costs $99 per year.