Checking for Poisoned Projects, Again

A bit less than two months ago, I wrote “Checking for Poisoned Projects”. This outlined how malware embedded in a Visual Studio project — not in the app the project would build, but in the project itself. Designed to infect security researchers, this malware was distributed as a Windows DLL that would be executed through “build events” on the researchers’ machines.

Today, we find out that iOS developers were attacked in a similar fashion. Apparently, Xcode offers “run scripts” that run as part of the build process. In this case, the run script downloaded spyware and installed it on the developers’ machines.

It is merely a matter of time before we find out that Android developers are being similarly attacked.

Please be very very careful when working with projects that you get from the Internet, including from popular sources like GitHub. In “Checking for Poisoned Projects”, I point out some of the standard developer security advice regarding using somebody else’s project that I have been giving for years. Basically, be very careful about the Gradle wrapper, as that is an easy way for an attacker to get malware onto your development machine. There are other attack avenues as well, such as Gradle plugins, compiler plugins, and annotation processors, that we need to worry about.

It would be lovely if somehow Android app development was immune to this sort of problem. That is very unrealistic. Someday, I fear that we will get a better picture of exactly how unrealistic it is.