Beware of 'XCSSET' malware hidden inside Xcode projects


 

Use caution opening Xcode projects downloaded from the interwebs: There’s a new(ly-discovered) exploit that hides inside projects and installs malware when the target is built, using a rogue build script. (And not just a regular run-script build phase; it pretends to be an asset catalog compiler, to make it harder to notice.)

"The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits"

(As reported in this week's iOS Dev Weekly, and previously covered on Twitter apparently.)

This is worrisome. It's not news that basically all build systems are Turing-complete and can do arbitrary stuff at build time. And legit projects frequently need to run scripts to move or process files. But once people start weaponizing this, it becomes a pretty nasty way to spread malware.

At a minimum, I think it'd be a good idea to look through the contents of all .xcodeproj bundles in any project source you download, before opening or building them. (And don't use the Finder, as some files are hidden; use `tree` or a Git client or something.) In the case of this particular exploit, a ".xcassets" directory is a giveaway.

This also makes using CocoaPods or Carthage scarier, as you only have to enter a URL into a config file to trigger downloading a sub-project sight unseen.

I don't know what the solution to this is going to be … sandboxing Xcode's build engine seems like a good idea, to prevent it and any scripts it runs from writing to files outside the build directory. Hopefully Apple is taking this seriously.

—Jens

Join xcode@apple-dev.groups.io to automatically receive all group messages.