Trend Micro has identified an insidious new form of Mac malware that is propagated by injecting itself into Xcode projects before they are compiled as apps.
So good they tried it twice
We’ve seen a similar attack before. The so-called “XCode Ghost” was a malware-infested version of Apple’s developer environment that was distributed outside of Apple’s channels. Apps built using the software were preinstalled with malware.
While security researchers were rightly concerned about XCode Ghost, the problem was quickly curtailed as Apple used the moment to stress the need to download critical files only from bona fide App Stores. It is much easier to subvert systems via poorly secured third-party app stores, and security is part of what we pay for when we purchase an app.
All the same, that particular incident served as a good illustration of the extent to which bad actors will go in order to subvert systems.
In this case, they worked to create an alternative environment in which the actual damage was caused quite some time later as apps were released.
The latest challenge, which Trend Micro says is part of the XCSSET “family,” is similar, in that it works to infect apps before they are created, with malicious code hidden inside the apps that eventually appear.
Developers: Secure your GitHub assets
Trend Micro warns that it has identified developers affected by this malware who are sharing their projects through GitHub, which suggests early proliferation via a supply chain attack. Essentially, malware miscreants attempt to infect files stored on GitHub.
Developers themselves may not be aware of this problem, as it doesn’t show until applications are built and distributed.
Affected users will see web browser security compromised, with cookies read and shared and backdoors created in JavaScript that malware authors may then be able to exploit, Trend Micro said. Data from other apps may also be at risk of exfiltration.
“The method of distribution used can only be described as clever. Affected developers will unwittingly distribute the malicious trojan to their users in the form of the compromised Xcode projects, and methods to verify the distributed file (such as checking hashes) would not help as the developers would be unaware that they are distributing malicious files,” TrendMicro writes.
What to do
Apple is aware of this new problem and is warning all users not to download applications from unknown entities or App Stores and is thought to be taking steps to address the threat in a future security update. Developers, meanwhile, should ensure they secure their GitHub repositories and double-check their assets there.
Mac users should only download items from approved sources and may want to consider installing and running the latest security protection software to help verify existing system security. The rapidly growing number of Mac-using enterprises should encourage their users to double-check their own system security while ensuring internally developed code is safe against this unusual new infection.
It’s important not to overreact, however. At present, this is not a scourge, but a relatively small threat. It is, however, one that reflects current security trends as malware makers get smarter in their attempt.