XCSSET malware infection in 2.0.0-beta2?

Hi Virjonen @virjonen,

Thank you very much for reporting this. I will investigate this of course with high priority.

The universalJavaApplicationStub code is the startup script to run APP 2.0.0 on macOS and that script definitely does not contain XCSSET malware and I compiled the script myself to make it an executable. And then Apple approved this because the whole package was notarized by Apple. So it seems quite likely that your anti-virus is giving a false positive here, but to be sure I will scan all my mac computers for this problem and see what comes up.

Will report back as soon as I know more 😉

Mabula

@virjonen, is this on an intel mac or an arm/M1 mac?

@mabula-admin Intel MacBook Pro with Monterey Version 12.4.

Same here.  VirusBarrier 10.9.63 with latest Virus descriptions alerted me to

universalJavaApplicationStub - OSX/XCSSET

Intel 5k iMac running MacOS Monterey 12.4

I wanted to try APP 2.0.0 β2 because APP 1.083.2 is failing Star Analysis on my subs (Green especially) which, as far as I can tell, are fine.  In fact, it's failed some subs that look better than others that are accepted.

Hi Philip @philpaul3aol-com and @virjonen,

I have taken a very! long time to investigate this issue and I can only conclude at the moment that your virus scanners are very likely giving a false positive on a possible XCSSET infection.

I use Bitdefender Total Security which has a very good reputation and it definitely knows the XCSSET infection. It does not find it on any of my macs and it does not find it in the beta2 release.

To add to this: the universalJavaApplicationStub is a small script that starts APP on your mac that I compile to a binary on my macs during build of the DMG installers.

This script simply does not contain XCSSET.

Furthermore XCSSET is spread using XCODE which is NOT used/involved in my development environment to create the mac installers for APP. So that alone makes it impossible for the DMG to contain it I think.

https://www.intego.com/mac-security-blog/mac-malware-exposed-xcsset-an-advanced-new-threat/

"One of the most interesting things about XCSSET is that its main target seems to be developers who use Apple’s Xcode app. An Xcode project infected by XCSSET can lead to malicious code being executed on a developer’s computer."

XCODE is simply not used by us since we develop cross-platform, which leads me to conclude that your virus scanners are not accurate unfortunately.

I will not close this issue for now, but at the moment, I can not do more I think to give you a more satisfying answer.

I understand that you both use Intego VirusBarrier right? So please be open to the possibility that Intego is not accurate here, since other AntiVirus packages report the 2.0.0-beta2 as clean/not infected.

Mabula

Hi @mabula-admin,

You're right, it's likely a false positive. I think I should contact Intego about this and see if they can tell us more and/or fix the likely false detection.

Will keep you posted,
A-P

Hi @virjonen,

Thanks a lot ! that can only help 😉

Mabula

Hi @mabula-admin,

Ping @philpaul3aol-com as well.

I just received a reply from Intego support. Like you suspected, it was a false positive and they have now fixed the definitions. I updated VirusBarrier and installed 2.0.0-beta2. No errors and everything works now.

Here is the reply from Intego:

---

Support Intego (Intego)

Aug 5, 2022, 02:49 CDT

Hi @virjonen,

Excellent, thank you very much for contacting Intego about this. I am glad that they have confirmed it was a false positive 🙂 !

Mabula