Trend Micro has identified a surreptitious new form of macOS malware that is generated by injecting itself into Xcode projects before they are compiled as apps. Trend Micro’s research discovered the malware called “a rabbit hole of malicious payloads” in a blog post last week.
The malware, which is part of the XCSSET family, is “an unusual infection” that is injected into Xcode projects. When the project is built, the malicious code is run. This poses a significant risk to the personal data of macOS users.
Mac’s Malicious Malware
If users run the infected apps, the malware may direct them to dangerous websites, change the addresses on their cryptocurrency wallets, take screenshots of what they were looking at or steal their credit cards. The malware also replaces Safari with a malicious version of Apple’s browser, infects all other major browsers, steals Google, Apple ID, and PayPal usernames and passwords, steal data from Skype, Telegram, Evernote and WeChat, and may even install ransomware on the user’s device.
Shatkivskyi and Felenuik, researchers who discovered the malware, believe that the Mac App Store review team will largely be unable to identify apps that contain the XCSSET malware. Shatkivskyi said,
“As an iOS developer I know how easy it is to fool them and release an app with hidden features.”
Shatkivskyi and Felenuik did not have access to a Mac Developer Transition Kit with Apple Silicon for testing, but they believe “there is no doubt that the malware will work” on Macs running Apple Silicon as well. Despite the severity of the XCSSET malware, the researches affirm that macOS is a safe operating system and they are optimistic about the future of battling the malware;
“Apple have some work to do, but still macOS is the most secure platform available. I am delighted by how Apple stands for privacy. However, I am sure that malware development will get almost impossible in the future. But it has nothing to do with the Mac transition to Apple silicon.”
Additionally, the researchers caution Mac users to be alert for unusual activity with permission alerts. Any repeated or unusual notifications asking for permissions on macOS may be an indication of infection on their device. Trend Micro encourages users to consider multilayered security solutions. Shatkivskyi said:
“In order to stay safe, you have to be somewhat paranoid. Don’t allow any app to record your screen. Also, pay attention to what is running on your Mac. I never use any pirated software due to its insecurity, I use only licensed ones,”
The pair first contacted Apple about the issue as early as December 2019, and they hope that Apple will be swift in resolving the vulnerability. They suggest that Apple could implement privacy notifications to alert users when the malware is active on their systems, as an effort to alert users of a potential breach.