According to researchers at SentinelOne, threat actors are leveraging on Xcode as attack vector to compromise developers' system on the Apple platform with a backdoor, which attacks add to a growing trend targeting developers using the popular development environment.
The Trojanized Xcode Project, dubbed "XcodeSpy", is a tainted version of the open-source development environment project known as TabBarInteraction used by Apple developers to animate tab bars for iOS based on user interaction.
Previously, attackers resorted to a tainted Xcode executables called XCodeGhost to inject malicious code in iOS apps compiled with infected Xcode without the knowledge of the developers, and even use the infected apps to collect users' data when the apps are downloaded and installed on their devices from the App Store.
How threat actors are infecting Apple App Developers With XcodeSpy?
XcodeSpy is a tainted version of the legitimate, open-source project called TabBarInteraction available on GitHub that's employed by developers to animate iOS tab bars.
It also contains an obfuscated Run Script which executes when the target developer's build is launched; then the script will attempt to contact the attacker-controlled server to retrieve a custom variant of the EggShell backdoor to install on the developer's machine.
The backdoor comes with such capabilities as recording through the victim's device microphone, camera, and keyboard. XcodeSpy may have been targeted at a group of developers, or even an individual developer, but there are potentially other scenarios where attackers could simply be trawling for targets to gather data for future attacks.
How Developers can detect XcodeSpy Infiltration
XcodeSpy relies on an in-built feature of Apple's IDE that allows developers to run custom shell script on launching their application. The technique is pretty easy to identify, but new or inexperienced developers who aren't aware of the Run Script feature will be particularly at risk since there isn't any indication in the debugger to indicate the execution of the malicious script.
Albeit, the objective behind the Xcode exploitation or even the identity of the group behind it remains unclear.