SecureMac, Inc.

XcodeSpy Mac Malware Targets Developers

March 25, 2021

XcodeSpy is macOS malware that can install a persistent backdoor on a Mac. In this article, we’ll explain what it is, how it works, and how you can detect it!

XcodeSpy Mac Malware Targets Developers

Security researchers have uncovered a sneaky new piece of macOS malware that targets software developers. Called XcodeSpy, the malware spreads via malicious Xcode projects. 

In this article, we take a closer look at XcodeSpy, and we’ll tell you how to check your Mac for signs of infection.

What is Xcode?

To understand what XcodeSpy is, and how it spreads, it’s helpful to understand a bit about what Xcode is, and about how software developers work.

Xcode is a type of programming application known as an integrated development environment (IDE). An IDE is basically an all-in-one toolbox for software developers. It will typically contain a code editor, debugging tools, automation facilities, and other capabilities to help developers work more efficiently. 

Xcode is the IDE for Apple app development. It runs on macOS and can be used to develop apps for macOS, iOS, and the other Apple OSes. When a developer is working on a piece of software in Xcode, they keep all of the files, resources, and data for their app in a repository called an Xcode “project”.

What does Xcode have to do with malware?

App development tends to be a collaborative effort. For this reason, it’s possible for devs to use other people’s publicly available Xcode projects to enhance their own work. Such projects can be shared in various ways, but they’re often made accessible through a code repository platform like GitHub.

Unfortunately, shared code can also be an effective way of spreading malware. We already saw the dangers of infected Xcode projects in last year’s XCSSET malware. XcodeSpy, it seems, is yet another example of this phenomenon.

What is XcodeSpy?

XcodeSpy is, essentially, a trojanized Xcode project.

It’s based on an actual (and completely legitimate) Xcode project called “TabBarInteraction”, which can be used to add animation to the tab bar for an iOS app.

XcodeSpy is an altered version of this Xcode project that contains malicious code. Presumably, it would affect an iOS developer looking to add some interactive features to their iOS app. Such a developer would be looking for TabBarInteraction. But instead of getting the real thing, they’d run into the trojanized version and download it instead, thus incorporating XcodeSpy into their own Xcode project.  

How does XcodeSpy work?

Xcode has a feature that allows developers to execute a bit of code when they launch an application that they’re working on. XcodeSpy abuses this feature, using it to run a malicious piece of code that contacts a remote server and downloads the EggShell backdoor. EggShell is a known macOS backdoor that has appeared in other Mac malware variants in the past.

Once installed, the bad actors can use EggShell to spy on an infected Mac. They can also, in theory, use the backdoor to download additional malicious components onto the system. By default, EggShell is equipped with a range of spyware capabilities. These include the ability to take screenshots, capture audio and video on an infected computer, upload and download files, and more. According to the security researchers at SentinelOne who discovered XcodeSpy, the EggShell variant dropped by XcodeSpy also includes some custom keylogging and data encoding capabilities as well. 

Clearing up misconceptions about XcodeSpy

XcodeSpy has been making headlines, but there has been some confusion about how the malware actually works, and about the nature of the threat that it poses.

Some reports have stated that developers will see a system warning when they run the infected Xcode project. This is incorrect, says Phil Stokes, one of the researchers who discovered and analyzed XcodeSpy:

The warning comes only one time: when you first download the project and open it in Xcode. At this point, the malicious shell script hasn’t even run — and when it does, there will be no warning.

Other sources have been calling XcodeSpy a supply chain attack. But this isn’t quite accurate. According to Stokes, XcodeSpy could be considered a “first step” in a supply chain attack, but it’s unclear at this stage exactly what objectives the threat actors behind XcodeSpy have in mind. Last year’s SolarWinds hack, by contrast, is an excellent (and dramatic) example of a genuine supply chain attack.

Do I need to worry about XcodeSpy?

For most everyday Mac users, the answer is probably no. Unless you share a Mac with someone who does software development, or are yourself an app developer, XcodeSpy is unlikely to affect you.

However, as we will see, XcodeSpy does have some wider implications for all Mac users, and signals some worrying things about the overall state of the macOS threat landscape. First, though, we’ll take a look at how to detect XcodeSpy on a Mac if you want to be sure you haven’t been infected …

How to check your Mac for XcodeSpy

At the moment, there are two basic ways to check a Mac for the presence of XcodeSpy. 

If you’re comfortable using the command line, SentinelOne has provided a way to do a manual search for signs of trojanized XcodeSpy projects on your computer. To do this, you would first launch Terminal and navigate to the folder where you keep your Xcode projects. Then you would run the following search:

find . -name "project.pbxproj" -print0 | xargs -0 awk '/shellScript/ && /eval/{print "\033[37m" $0 "\033[31m" FILENAME}'

The search results will display all files that contain a.) the type of executable code used by XcodeSpy and b.) text strings known to appear in the malware’s code. Inspect any files returned by this search carefully for signs of malicious code.

The other option is to use a malware detection and removal tool like MacScan 3. This may be a better choice for users who aren’t comfortable performing a manual search or trying to interpret the results. MacScan 3 now has definitions for both XCodeSpy and for its second-stage EggShell backdoor payload (detected as XCodeSpy.A and EggShell.A, respectively).

What XcodeSpy means for Mac users

If you’re not an app developer, you may feel that XcodeSpy has little relevance to you. In one sense, that’s true: It’s definitely malware that targets developers, not everyday Mac users.

But XcodeSpy also shows how threat actors are continuing to up their game, and to develop new tactics for attacking Apple platforms. In that sense, this new malware is part of a general trend that affects all Mac users. In just the past year, we’ve seen:

There is every reason to think that this trend will continue. As Macs grow ever more prevalent — especially in the enterprise — they will be an increasingly lucrative target for malicious actors. As Stokes puts it:

We know from the threats that we see that bad actors are making a lot of money from macOS infections. And where there’s money to be made, you’ll see increased attempts to make that money.

Learning more …

To learn more about the ever-changing Mac malware threat landscape, and about how malware analysts do their work, check out the following resources: 

Get the latest security news and deals