CATEGORIES
home News

XCSSET macOS Malware Caught Stealing Screenshots And Exploiting 0-Day Bugs, Update Now

by Nathan OrdTuesday, May 25, 2021, 01:22 PM EDT
xcsset malware stealing screenshots and exploiting vulnerabilities
It is time to update macOS devices as a new 0-day has been found that allows malware to bypass privacy protections. The logic bug allowed any app to inherit another app’s permissions to take screenshots or do other activities without the end-user knowing, making this quite concerning.

In 2020, malware called XCSSET made an appearance using two 0-day exploits to target Xcode developers and their projects. It would primarily spread using these projects, some of which were shared on GitHub, “leading to a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects,” as researchers at Trend Micro explain. Since the initial discovery, the malware has had an ebb and flow, making a resurgence earlier this year by stealing cryptocurrency on Apple M1 systems.

donor apps 2 xcsset malware stealing screenshots and exploiting vulnerabilities
The list of donor apps and "celebratory" code when it finds one with permissions on a system

Most recently, Apple patched a new 0-day vulnerability in macOS 11.4 (CVE-2021-30713), which could have allowed bypass of the Transparency Consent and Control (TCC) framework that controls what hardware and software an application has access to. To exploit this, an attacker could hide within another application that has regularly granted permissions that it is looking for. The sub-application would then inherit the parent or donor application’s permissions, which is quite a privacy concern.

flow xcsset malware stealing screenshots and exploiting vulnerabilities
The XCSSET malware flowchart courtesy of Jamf
.
In this case, researchers at Jamf, an Apple enterprise management software company, found that XCSSET was actively exploiting this bug. XCSSET could have “Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent,” but used the 0-day specifically to take screenshots of the user’s desktop without them knowing. This was done by planting a malicious sub-application into a “donor application” such as Zoom, Discord, or others that would regularly have screen capture permissions.

Thankfully, this issue has now been fixed in macOS 11.4, as mentioned, so it is time for all users to update their systems to the latest macOS update. However, XCSSET primarily targeted developers using Xcode, so it is unlikely for the average person to be affected. If you are still concerned about this, though, you can check to see if you were comprised using the indicators Jamf lists in its blog post.
Tags:  Apple, Malware, Privacy, (NASDAQ:AAPL), macos
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment