XCodeSpy malware targets developers using Apple’s Xcode software

A recently discovered form of Mac malware is being used to target software developers who use Apple Inc.’s Xcode development environment for macOS.

Detailed today by researchers at SentinelOne, XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer’s macOS computer along with a persistence mechanism. Once installed, those behind the malware gain access to the targeted computer, including the ability to record the victim’s microphone, camera and keyboard as well as upload and download files.

XcodeSpy involves a trojanized Xcode project. An Xcode project is a repository of files, resources and information used to build a software project with Xcode being used to design apps for iOS, macOS, iPadOS, watchOS and tvOS. The malicious project that includes the XcodeSpy malware is described as a doctored version of a legitimate, open-source project on Github that offers iOS developers several advanced features for animating the iOS Tab Bar based on user interaction.

The vector for infection, however, is not clear. The SentinelOne researchers found a victim in the U.S. who reported that they were repeatedly targeted By North Korea. Two uploaded samples for XcodeSpy were also found in VirusTotal, both having been uploaded via a web interface in Japan in August and October.

Possible distribution paths could include fake promotion on git repositories although given the possible targeted nature of the few known victims, the path to infection may have been through social engineering or phishing attacks.

“While XcodeSpy appears to be directly targeted at the developers themselves rather than developers’ products or clients, it’s a short step from backdooring a developer’s working environment to delivering malware to users of that developer’s software,” the researchers said.

This is not the first time developers using Xcode have been targeted. Back in 2015 a malicious program dubbed XcodeGhost appeared in Apple’s App Store. The code, a repackaged version of Xcode itself, was downloaded multiple times and resulted in third-party apps also being infected as developers were tricked into using the XcodeGhost version…