Trend Micro has identified an insidious new form of Mac malware that is propagated by injecting itself into Xcode projects before they are compiled as apps.
So good they tried it twice
We’ve seen a similar attack before. The so-called “XCode Ghost” was a malware-infested version of Apple’s developer environment that was distributed outside of Apple’s channels. Apps built using the software were preinstalled with malware.
While security researchers were rightly concerned about XCode Ghost, the problem was quickly curtailed as Apple used the moment to stress the need to download critical files only from bona fide App Stores. It is much easier to subvert systems via poorly secured third-party app stores, and security is part of what we pay for when we purchase an app.
All the same, that particular incident served as a good illustration of the extent to which bad actors will go in order to subvert systems.
In this case, they worked to create an alternative environment in which the actual damage was caused quite some time later as apps were released.
[Also read: 12 security tips for the ‘work from home’ enterprise]
The latest challenge, which Trend Micro says is part of the XCSSET “family,” is similar, in that it works to infect apps before they are created, with malicious code hidden inside the apps that eventually appear.
Developers: Secure your GitHub assets
Trend Micro warns that it has identified developers affected by this malware who are sharing their projects through GitHub, which suggests early proliferation via a supply chain attack. Essentially, malware miscreants attempt to infect files stored on GitHub.
Developers themselves may not be aware of this problem, as it doesn’t show until applications are built and distributed.
Affected users will see web browser security compromised, with cookies read and shared and backdoors created in JavaScript that malware authors may then be able to exploit, Trend Micro said. Data from other apps may also be at risk of exfiltration.
“The method of distribution used can only be described as clever. Affected developers will unwittingly distribute the malicious trojan to their users in the form of the compromised Xcode projects, and methods to verify the distributed file (such as checking hashes) would not help as the developers would be unaware that they are distributing malicious files,” TrendMicro writes.
What to do
Apple is aware of this new problem and is warning all users not to download applications from unknown entities or App Stores and is thought to be taking steps to address the threat in a future security update. Developers, meanwhile, should ensure they secure their GitHub repositories and double-check their assets there.
Mac users should only download items from approved sources and may want to consider installing and running the latest security protection software to help verify existing system security. The rapidly growing number of Mac-using enterprises should encourage their users to double-check their own system security while ensuring internally developed code is safe against this unusual new infection.
It’s important not to overreact, however. At present, this is not a scourge, but a relatively small threat. It is, however, one that reflects current security trends as malware makers get smarter in their attempt.
When security went pro, hackers grew sophisticated
Ever since the pandemic lockdown began, enterprise security chiefs have been addressing increasingly complex attacks. These have included highly targeted phishing attacks in which attackers attempt to exfiltrate pieces of information from chosen targets in order to generate enough data from which to undermine enterprise security architectures.
Trend Micro warns: “Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse.”
Attackers don’t do this for no reason, of course. With Apple’s platforms seen as hard to undermine and highly secure, attackers have moved to target other components of the platform experience, in this case, developers. The idea is that if you can’t infect an edge device easily, why not make the users of those devices willingly install subverted software.
Naturally, the existence of such threats should also serve as tangible proof of the huge risk that exists when technology firms are forced to install “back doors” into their systems, as those doors become security weaknesses that can more easily be exploited.
It’s a good time to review Apple’s security white papers and this (older, but still useful) Mac security guide.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.
