Apple macOS hit with XCSSET malware: Originated in Xcode projects the virus uses multiple 0Day exploits to take screenshots without user consent

Apple macOS XCSSET malware
Apple Mac PC owners hit the update button urgently. Pic credit: Kārlis Dambrāns/Flickr/CC BY 2.0

Apple Mac PC owners must rush to install the macOS 11.4 update. A malware, known as XCSSET, and prevalent since last year, is able to take screenshots without user consent. Moreover, it can potentially access the victim’s microphone, webcam or capture their keystrokes, such as passwords or credit card numbers.

Security researchers have indicated the XCSSET malware can exploit a serious weakness in macOS security. Malicious code writers can abuse the flaw to record video, access files, and perform other tasks which would otherwise need user permission.

macOS suffering spyware that can get around Transparency Consent and Control:

Cybersecurity company Jamf has reported on XCSSET, but Trend Micro first discovered the security flaw last year. Hackers have now created sleek spyware that can get around a macOS privacy feature known as Transparency Consent and Control (TCC).

TCC raises a warning flag when an app is doing something that might affect users’ privacy, such as taking photos or recording keystrokes. The feature forces the application to seek user permission before gaining access to the hardware.

Using the XCSSET, malware coders managed to bypass the critical step. The hackers worked around the security feature by hijacking other apps’ permissions. In other words, the spyware piggybacked on permissions of other apps, which an unsuspecting macOS user had previously granted.

How did XCSSET malware manage to hijack security permissions that macOS users granted for other applications?

Back when Trend Micro first discovered XCSSET, the cybersecurity company realized the malware creators were targeting Apple developers. Hackers were going after Xcode projects that developers use to code and build apps.

Simply put, developers were unwittingly distributing the malware to their users by using infected app development projects. Trend Micro describes these sophisticated and forward-thinking attacks as “supply-chain-like attacks”.

Malicious code writers merely needed to install the first phase on a victim running macOS. In its latest iteration, the XCSSET malware reportedly uses two zero-days — one to steal cookies from the Safari browser to get access to a victim’s online accounts, and another to quietly install a development version of Safari, allowing the attackers to modify and snoop on virtually any website.

Jamf, however, claims the malware is exploiting a previously undiscovered third zero-day in order to secretly take screenshots of the victim’s screen. While taking screenshots is one of the purposes, security researchers are warning the bug could allow hackers to access the victim’s microphone, webcam or capture their keystrokes, such as passwords or credit card numbers.

Apple Inc. has confirmed that it has fixed the bug that the XCSSET malware can exploit, in macOS 11.4. The iPhone maker has released the update this week. Needless to mention, it is important Mac PC owners update their systems at the earliest.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x