Skip to main content

Crypto-Stealing Malware Starts Targeting Apple's M1 Macs

Apple M1
(Image credit: Shutterstock)

Researchers have discovered that the XCSSET malware has started targeting M1-equipped Macs via Xcode, The Hacker News reported Monday and has been updated to compromise accounts on various cryptocurrency trading platforms.

Xcode is the integrated development environment (IDE) used to make apps for the iPhone, iPad, and other Apple hardware. Even if a cross-platform framework is used to develop a particular app, it must pass through Xcode to reach those platforms.

That means XCCSET is limiting itself to technically savvy people who, if we had to guess, would be more likely to own cryptocurrency than the average Mac owner. Targeted attacks like this are often more successful than broader ones.

Kaspersky warned that XCSSET had been updated for Apple's custom silicon in March. The malware wasn't focused on cryptocurrency at the time, the security company said. Instead, it featured a variety of modules that were designed to:

  • Reading and dumping Safari cookies
  • Injecting malicious JavaScript code into various websites
  • Stealing user files and information from applications, such as Notes, WeChat, Skype, Telegram, etc.
  • Encrypting user files

Trend Micro then warned on April 16 that XCSSET had been updated to bypass security features introduced with macOS Big Sur, change the icons it uses to match system icons, and attempt to gain access to victims' accounts on crypto platforms.

The company's advice was clear: "To protect systems from this type of threat, users should only download apps from official and legitimate marketplaces," it said. But that's hard to do when it comes to finding Xcode projects to work with or learn from.

XCSSET's expansion to cryptocurrency makes sense. The value of Bitcoin, Ethereum, and even Dogecoin has continued to rise in recent months, and stealing coins from someone else is probably requires fewer resources than mining them would.

Adding support for Apple's custom silicon was also prudent. Devices featuring the M1 chip have been well-reviewed, and with Apple's plan to ditch Intel entirely by the end of 2022, it makes sense to start targeting its chips now.

Other malware creators appear to agree. We saw reports of the first malware targeting Apple silicon in February, and in March, the Silver Sparrow malware was discovered on approximately 30,000 macOS devices, some of which had M1 chips.