Contents
XcodeSpy is a name of newly discovered Mac malware targeting Apple developers. The malware spreads via trojanized Xcode projects and the main functionality of it is to install a custom variant of EggShell backdoor on the computer along with a persistence module and spy on the victim. The list of illegal activities that can be performed on infected host include recording of victim’s microphone, camera and keystrokes, as well as uploading and downloading files.
The threat actors behind XcodeSpy malware are using the supply chain attack to infect as many victims as possible. In short, if a developer distributes a program containing the malicious code to end users, these users would get infected, too.
The malware itself leverages Apple’s IDE built-in feature that allows running customized shell script on launching an instance of the target app. One instance of an open-source project available on GitHub and infected with the malware is called TabBarInteraction. The obfuscated malicious script reportedly is hidden in Build Phases Tab. Since the Run Script panel needs to be manually expanded by the inspector, the code can be easily overlooked.
The malicious script is made to create hidden file called .tag that contains only one command – mdbcmd, that helps to perform a reverse shell attack. This attack type is called so because in such scenario, the target machine is the one who initiates the connection with the attacker.
Upon execution, EggShell backdoor ensures persistence on the infected computer by dropping a LaunchAgent. The public EggShell repo includes wide range of functionalities, such as retrieving browser’s passwords, Facebook session cookies, download victim’s personal files to criminals’ servers, navigating the operating system folders, taking screenshots, prompt user to type password, upload files, suspend current session, set output volume, put device to sleep mode, adjust screen brightness, run Apple scripts, record microphone, send iMessage, get pasteboard contents and more.
It is a common practice for cybercriminals to use sneakily collected data to blackmail victims via email or social media. Typically, they threaten to publish collected information and recorded audio/video, asking the victim to pay up if one wants such recordings deleted. Moreover, collected data may be sold on the dark web forums and distributed to other criminals.
Remove Mac malware using INTEGO ANTIVIRUS for Mac (includes scanning for iOS devices). The one-of-a-kind security suite provides VirusBarrier X9 real-time protection against Mac and Windows-based malware, removes existing threats and scans for malware in popular e-mail clients. Includes NetBarrier X9, an intelligent firewall for home, work and public connections.
Name | XcodeSpy malware (EggShell backdoor) |
Type | Mac malware, Backdoor |
Detection names | Backdoor.OSX.EggShell (ALYac), MacOS:Eggshell-L [Trj] (Avast), HEUR:Backdoor.OSX.EggShell.a (Kaspersky), OSX/EggShell-A (Sophos) see full list on VirusTotal |
Malicious activities | Spying on the victim, recording via microphone or camera, grabbing browser passwords, facebook session cookies, sending iMessages, downloading or uploading files and more |
Reportedly compromised Xcode projects | TabBarInteraction |
Distribution | Spreads via trojanized and publicly accessible Xcode projects |
Removal | Remove Mac malware with OS-specific antivirus INTEGO that scores 100% in OS X malware detection tests. |
Not so long time ago people believed that Macs are resistant to malware, however, situation has changed rather quickly. In 2021, we have observed a large number of Mac-targeting viruses, most of them being persistent adware or browser hijackers, although more severe malware variants were created (such as Silver Sparrow). Most of these threats are distributed via bundled software packs. Software bundles are free programs that deliver additional programs alongside them. Their deceptive installers often do not present the extras or do so in unnoticeable manner.
Another common Mac spyware and malware distribution vector is deceptive software update ads. These fake ads suggest installing an update for a widely used software such as Java or Adobe Flash. Agreement to install these can result in computer contamination with variety of persistent threats. For this reason, it is best to download programs as well as their updates from legitimate and confirmed sources only.
As discussed earlier, XcodeSpy spreads via publicly available Xcode projects and mainly targets Apple developers to perform supply chain attack. For this reason, developers should be careful when accessing shared projects online.
You should make XcodeSpy removal your top priority task if you suspect that your system has been compromised. To eliminate Mac threats, we typically recommend INTEGO, a powerful antivirus for OS X systems. You can read its review here.
Once you remove XcodeSpy malware from Mac, make sure you get rid of compromised Xcode projects, or at least clean them up if you absolutely need to use them.
OUR GEEKS RECOMMEND
Keep your Mac virus-free with INTEGO, an exceptional antivirus with an option to scan other iOS devices. The VirusBarrier X9 offers 24/7 real-time protection against Mac and Windows malware, includes intelligent firewall (NetBarrier X9) for protecting your incoming/outgoing connections at home, work or public hotspots and more.
INTEGO antivirus is one of the leading security products for Mac that includes VirusBarrier X9 and NetBarrier X9 features allowing detection of viruses, ransomware, adware, browser hijackers, Trojans, backdoors and other threats and blocks suspicious network connections. If any detections are found, the software will eliminate them. Learn more about the software's features in its full review.
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
XcodeSpy malware Removal Tutorial
Use the following guidelines to get rid of XcodeSpy malware on Mac. You will need to eliminate suspicious components from several system folders, move unwanted applications to Trash, delete shady profiles and login items created by the potentially unwanted program. Once you complete these steps, follow the instructions how to clean each affected web browser individually.
Eliminate components of unwanted program from Mac system folders
Move unwanted applications to Trash
Remove unwanted startup applications on Mac
Delete malicious configuration profiles
Remove XcodeSpy malware from Safari
Uninstall suspicious Safari extensions
Change Safari Homepage and default search engine
Remove push notifications on Safari
Some suspicious websites can try to corrupt your Safari by asking to enable push notifications. If you have accidentally agreed, your browser will be flooded with various intrusive advertisements and pop-ups. You can get rid of them by following this quick guide:
Reset Safari
Remove XcodeSpy malware from Google Chrome
Remove suspicious Chrome extensions
Change Start Page settings
Change default search settings
Remove push notifications from Chrome
If you want to get rid of the annoying ads and so-called push-notifications viruses, you must identify their components and clean your browser. You can easily remove ads from Chrome by following these steps:
Reset Google Chrome browser
Remove XcodeSpy malware from Mozilla Firefox
Remove unwanted add-ons from Firefox
Change Firefox Homepage
Alter preferences in Firefox
Remove annoying push notifications from Firefox
Suspicious sites that ask to enable push notifications gain access to Mozilla's settings and can deliver intrusive advertisements when browsing the Internet. Therefore, you should remove access to your browser by following these simple steps:
Reset Mozilla Firefox
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Private Internet Access (PIA) VPN maintains its long-term role as a leader Private Internet Access…
XCBG ransomware aims to lock your files and demand a ransom XCBG ransomware is a…
BPQD ransomware encrypts all computer files, demands a ransom from the user BPQD ransomware is…
KQGS ransomware is a hostile computer virus designed to encrypt all of your files KQGS…
VTYM ransomware description: a virtual menace to your files stored on the computer VTYM ransomware…
FOPA ransomware is a new threatening computer virus that encrypts your files FOPA ransomware virus…
This website uses cookies.