Malware in Xcode Simulator files says Apple XProtect

Developer Tools & Services Xcode
otacon85 OP
Created May ’24
Replies 4
Boosts 1
Views 1.3k
Participants 5

During last night, Apple allegedly pushed new XProtect antivirus signatures. After that, I think XProtect found the malware Pirrit in my Xcode Simulator files from Apple. I'm not kidding. This is an excerpt from the XProtect log (notice the NSFilePath!):

2024-05-01 07:54:12.951  Pirrit        👉 no status_message report     time 0.0000000 {"action":"report","path":{"modificationDate":732892166.8634809,"path":"\/Library\/Developer\/CoreSimulator\/Images\/1944D6AF-4D6B-4877-8F87-924EB62FC984.dmg","creationDate":732892166.8634809},"status":{"description":"Error deleting path: \/Library\/Developer\/CoreSimulator\/Images\/1944D6AF-4D6B-4877-8F87-924EB62FC984.dmg: Error Domain=NSCocoaErrorDomain Code=513 \"“1944D6AF-4D6B-4877-8F87-924EB62FC984.dmg” couldn’t be removed because you don’t have permission to access it.\" UserInfo={NSUserStringVariant=(\n    Remove\n), NSFilePath=\/Library\/Developer\/CoreSimulator\/Images\/1944D6AF-4D6B-4877-8F87-924EB62FC984.dmg, NSUnderlyingError=0x1247612a0 {Error Domain=NSPOSIXErrorDomain Code=1 \"Operation not permitted\"}}.","causedBy":[],"code":24}}

2024-05-01 07:54:13.197  Pirrit        message not in JSON format

2024-05-01 07:54:41.125  Pirrit        ⚠️ FailedToRemediate time 0.0000280 {"caused_by":[],"execution_duration":2.8014183044433594e-05,"status_code":24,"status_message":"FailedToRemediate"}

XProtect also detects another threat on my machine:

2024-05-01 10:09:58.530  BadGacha      ⚠️ ThreatDetected time 0.0000120 {"caused_by":[],"execution_duration":1.2040138244628906e-05,"status_message":"ThreatDetected","status_code":21}

Please check your XProtect logs. There is an app that can display these logs out there. Or you can use the system logging facility.

I have deleted the whole Developer folders (both at / and ~) and reinstalled Xcode (not Beta). But a new XProtect scan finds Pirrit in the Core Simulator file again!

I have also attempted to install an anti virus solution (Malwarebytes), but it does not detect anything.

I am wondering if we should get someone from Apple involved. I am also wondering if I should reset my whole machine…

Is anyone else seeing these issues in the XProtect log?

It is unclear at this time whether there really is a Pirrit malware in Apple's Xcode simulator files or if there is some issue with XProtect like a faulty signature. Don't panic.

Answered by DTS Engineer in 786921022

Apple is aware of this issue, and thank you filing FB13769072 to bring it to our attention. Please see this post for an easy workaround.

Replies  4
Boosts  1
Views  1.3k
Participants  5
otacon85 OP
May ’24

I have filed Feedback with Apple FB13769072

0
endecotp OP
May ’24

See also:

https://developer.apple.com/forums/thread/751049

https://stackoverflow.com/a/78421026/341994

Any response to your bug report? (ha ha)

1
lpadron_cashapp OP
May ’24
Accepted Answer

In some conversation with Apple folks, the XProtect update that caused this has been rolled back it should be installed silently. It should also be possible to force an update via:

softwareupdate --install --include-config-data XProtectPayloads_10_15-133
1
DTS Engineer OP
Apple
May ’24
Recommended

Apple is aware of this issue, and thank you filing FB13769072 to bring it to our attention. Please see this post for an easy workaround.

0
Malware in Xcode Simulator files says Apple XProtect
First post date Last post date
 
 
Q