Security News > 2021 > March > iOS app developers targeted with trojanized Xcode project

iOS app developers targeted with trojanized Xcode project
2021-03-19 14:41

"We recently became aware of a trojanized Xcode project in the wild targeting iOS developers thanks to a tip from an anonymous researcher. The malicious project is a doctored version of a legitimate, open-source project available on GitHub," SentinelOne researchers have warned.

The trojanized Xcode project in question is TabBarInteraction, which offers iOS developers features for animating the iOS Tab Bar based on user interaction - though the researchers have been quick to note that the code in the Github project is currently clean, and that the developer is not implicated in any way with the malware operation.

The trojanized version of the project - dubbed XcodeSpy by the researchers - executes an obfuscated Run Script when the developer's build target is launched.

It is unknown whether the attacker targeted just one specific developer or many, but the researchers say that they believe other XcodeSpy projects may exist, so they provided IoCs, urged all Apple app developers to check for the presence of malicious Run Scripts whenever adopting third-party Xcode projects, and explained how to do it.

"While XcodeSpy appears to be directly targeted at the developers themselves rather than developers' products or clients, it's a short step from backdooring a developer's working environment to delivering malware to users of that developer's software," they added.

Threat actors targeted software developers in the past: in 2015, Palo Alto Networks researchers discovered a maliciously modified versions of the Xcode framework that they dubbed XcodeGhost, which was used to trojanize a huge number of iOS apps, and in early 2021, the Google Threat Analysis Group threw light on a campaign aimed at backdooring the computer systems of a number of security researchers and developers via a Visual Studio project designed to load a malicious DLL..


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/ch-P2ToOHcI/