Researcher claims Mac's malware-flagging tool is 'trivially easy' to bypass

MacBook Pro 16-inch 2021 sitting on a patio table
(Image credit: Tom's Guide)

Apple includes a number of built-in tools to keep the best MacBooks safe from malware, but a security researcher is now claiming that one of them can be easily bypassed by hackers.

As reported by 9To5Mac, the iPhone maker first introduced its malware-flagging tool Background Task Manager as part of macOS Ventura last year. The tool is designed to notify you when Mac malware installs itself in such a way that it can remain persistent on your computer.

Now though, during a presentation at Defcon, security researcher Patrick Wardle has presented his findings on several vulnerabilities in Background Task Manager that make the tool not nearly as effective as Apple originally claimed it would be at flagging malware.

In a discussion with Wired after his presentation, Wardle explained that he discovered some issues with the tool that lead “persistence event notifications to fail.” While he reported these issues to Apple and the company fixed them, Warle claims that “deeper issues with the tool” weren’t identified. 

Although hackers have yet to leverage the flaws in Background Task Manager in their attacks just yet, now that Wardle has shed light on them, they could soon be used to install persistent malware on vulnerable Macs.

Apple’s built-in malware protection

Just like Microsoft does with Windows Defender on its PCs, Apple also includes built-in malware protection with every Mac it sells.

For starters, every app uploaded to the Mac App Store is vetted for malware while Gatekeeper in macOS ensures that any app you install is signed by an approved developer. From here, XProtect scans your Mac for malware using signature-based detection and blocks it from running on your computer.

As is the case with the best antivirus software, Apple frequently updates XProtect so that it can identify new malware strains and variants. However, last year, the company introduced Background Task Manager to search for persistent malware on its computers.

As the name suggests, persistent malware is a type of malware that can continue running on your computer in the background. While you can find and try to remove malware, if an attacker has achieved persistence on your Mac, their malware will remain on your computer.

The problem that Wardle highlights is that Apple implemented Background Task Manager in such a way that “any malware that’s somewhat sophisticated can trivially bypass the monitoring.” 

During his research, Wardle discovered two ways that don’t require root access to bypass Apple’s tool. The first is a bug in the way in which the system communicates with macOS’ kernel while the other leverages the ability to put processes to sleep which can stop Mac users from being notified that persistent malware has been installed on their computer.  

There’s also a third way but it requires root access to exploit. However, Wardle insists that Apple needs to address it since this bug could be used by hackers to gain high levels of access which they could use to prevent notifications from appearing.

How to keep your Mac safe from malware

A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.

(Image credit: robert coolen/Shutterstock)

When it comes to keeping your Mac safe from malware, the first and most important thing you can do is to make sure you’re running the latest software from Apple. The company frequently releases new software with security updates and patches for known vulnerabilities, so installing them as soon as they become available is your best course of action.

From here, you should also be using one of the best Mac antivirus software solutions on your Mac. Sure, your Mac comes with built-in malware protection, but free antivirus software will only get you so far. Paid antivirus software often comes with more features, extras like a password manager or VPN and the malware databases its antivirus engines use are more frequently updated.

Now that Wardle has called out Apple’s Background Task Manager publicly, the company will no doubt be working on a way to improve its ability to detect persistent malware. Still though, in the meantime, you need to remain vigilant and avoid doing things like clicking on links from unknown senders or downloading attachments from suspicious emails which can put both your Mac and your data at risk.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.