Researchers have reported finding a Trojanized wild code library trying to mount sophisticated surveillance malware on iOS developers’ Macs.
The attacker wrote for Xcode, a developer tool which Apple makes freely available to developers writing apps for iOS or any other Apple operating system, in the shape of a malicious project. The project was a clone of TabBarInteraction, a legal open source project, which promotes the animation of iOS tab bars based on user interaction. A project Xcode is a directory for all the scripts, tools and knowledge that an application needs to be built.
A faded script, known as a “Run Script,” was alongside the legitimate code. The script executed once the developer build was started contacted an attacker-controlled server to download and install a custom version of EggShell, an open source backdoor spying on users via their microscope, camera and keyboard.
Experienced developers have been aware for a long time of the necessity of searching for malicious Run Scripts when using a third-party Xcode project. During the identification of files, XcodeSpy sought to make the task more complicated by encoding the message.