New method to introduce malware into macOS apps puts millions of Apple users at risk

The evidence supports the general view of Apple products and their advanced security capabilities regarding Windows or Android systems, for example. Apple has worked hard to keep things the way they are, adding multiple layers of security to its operating systems to protect them from the best-known security threats.

Despite these efforts, some hacking groups managed to exploit a critical vulnerability on Apple devices.

Recently cybersecurity specialist Cedric Ownes detailed how hackers exploit this flaw, reported in mid-March and residing in the Gatekeeper mechanism. This feature allows developers to sign up for Apple and pay for their software to run on Mac devices.

According to Ownes, the software notarization process requires applications to be subjected to an automated verification process developed by Apple. Threat actors could create a malware variant specifically designed to trick this mechanism, which resides on the macOS system itself, so that compromised devices run malware despite not passing the relevant security checks.

This flaw abuses a tiny entry point into the system, which makes the system think that the malicious application has some particularly specific attributes: “If you create an application composed basically of a single script, the code will tell the program what to do instead of doing it for itself,” Ownes says.

This intrusion does not include the standard application metadata file (also known as info.plist), which can run a malicious application on any Mac. The researcher reported his findings to Apple and even took his report to renowned macOS expert Patrik Wardle, who delveed a little de further into Ownes’ report.

The expert also mentions that, initially, macOS also checks whether the new apps were actually notarized, although this step is skipped in the scenario described in the report. However, it is then tracked to check if the software is actually an application package; if macOS does not detect an info.plist file, the system will automatically determine that it is not an application.

After performing his own scan, Wardle took his report to Jamf, apple’s device management company, to see if the company’s antivirus solution is actually capable of containing these script-based attacks. Jamf marked a particular version of the Shlayer adware that could exploit this error in an unusual way. The version of Gatekeeper analyzed, released in 2012, shows a warning to users to ask them if they are sure they want to run downloaded apps outside the company’s official store.