Don’t Trust the Double-Click: This Mac Malware Was ‘Approved’ by Apple
Toggle Dark Mode
The Gatekeeper in macOS does a good job overall of defending your Mac against malware and other harmful software. However, it’s crucial to remember that it does not make your Mac impervious to such dangers. It’s always important to be vigilant, as bad actors have devised various ways to trick users into bypassing Apple’s protective measures.
The latest example of this is a new variant of the MacSync Stealer malware that uses a code-signed Swift application to evade Apple’s macOS Gatekeeper protections by making it appear to be a legitimate app from an Apple-approved developer.
Researchers at Jamf Threat Labs shared news this week about a new variant of MacSync Stealer they’ve uncovered that uses a different tactic to attack your Mac by exploiting the notarization system Apple uses to protect your machine.
Previous versions of MacSync Stealer relied on social engineering tactics — duping users into dragging files into a Terminal window or manually pasting commands to evade Gatekeeper. The new variant is more sophisticated
Now, the malware masquerades as a legitimate installer for an app called “zk-Call & Messenger.” Since it’s been signed by a registered developer and subsequently notarized by Apple, it effectively carries Apple’s “seal of approval,” allowing users to launch it with a standard double-click and avoid the security warnings that come up with apps from unregistered developers.
Upon inspection, Jamf Threat Labs found the install was not only code-signed and notarized but also linked to a verified third-party Apple Developer account.
To further the deception, the bad guys inflated the file size to 25.5MB by padding the app with extra files, such as LibreOffice-related PDFs, to make it look more like a legitimate installer.
The installer app doesn’t actually include the malware itself, allowing it to evade typical malware detection utilities. After being initially run on the user’s Mac, it pulls down a malicious payload from a server, then installs it on the targeted system.
The malicious software exhibits all the usual traits of previous versions of MacSync Stealer — an “infostealer” designed to harvest sensitive data, including browser-stored passwords, iCloud Keychain credentials, cryptocurrency wallets, and more. As far as researchers can tell, the main difference is the new delivery system to bypass the built-in macOS defenses.
Jamf notes that malware authors continue to “evolve their delivery methods,” developing new ways to maximize the number of infected machines. The firm added that it hasn’t seen this approach before, at least in a Swift-based, code-signed, notarized form that loads a secondary payload.
Bad actors have used a similar method in the past: back in 2020, researchers discovered malicious code that was notarized, thanks to a well-hidden malware script inside the application.
It’s a bit different this time, as the notarized app doesn’t include the malicious code itself and instead downloads the nasty bits from the Internet after being examined by Gatekeeper. This “two-stage attack” method makes it tougher to detect such malware during the notarization process.
Jamf says it has contacted Apple to report the malware installer’s Developer Team ID, and while the associated certificate has since been revoked, the specific code directory hashes were not yet included in Apple’s revocation list when the report was first published.
To protect themselves, Mac users need to be vigilant about their digital hygiene, staying aware of what they are installing and obtaining installation files only from well-lit areas of the internet, such as the Mac App Store or trusted developers.
