New Mac Malware Sails Right Through Apple's Defenses

A zero-day software flaw — one that gets exploited before the software maker has had a chance to find and patch it — is every software developer’s worst nightmare.

Credit: Pixabay

(Image credit: Pixabay)

You can imagine how unhappy Apple must be, then, that a zero-day flaw exists in macOS, and that it may have already been exploited in the wild. To make matters worse, the flaw tricks the operating system’s own Gatekeeper program, which is designed to keep Mac users safe from potentially harmful foreign files.

At present, there’s nothing you can really do about the flaw, except to make sure you're running Mac antivirus software, which might catch the malware. The good news is that exercising common sense online ought to keep you safe.

MORE: Best Mac Antivirus Software

To understand the threat, you’ll need to understand the two separate, but related, issues at play: a Gatekeeper vulnerability and an actual malware package called OSX/Linker. Security researcher Filippo Cavallarin disclosed the vulnerability May 24, while Seattle-based Mac-security-software maker Intego discovered malware taking advantage of said vulnerability last week.

The OSX/Linker malware is easy enough to understand. It’s just a piece of malicious software that attempts to hijack control of your system. From there, it can turn your machine into a cryptocurrency miner, draft it into a botnet, leverage it for personal information — you know the drill.

As such, you also already know how to avoid it. Don’t download anything from an unknown source, and steer especially clear of suspicious ZIP files or disk images.

Intego's own Mac antivirus program is able to detect OSX/Linker, and other Mac antivirus programs will soon if they don't already, so run any file in question through a virus-scanner first, and you should be fine. This is especially true since OSX/Linker has shown up only four times in the wild, and it’s not clear whether anyone even downloaded it.

Tom's Guide has reached out to Apple for comment, and we will update this story when we receive a reply.

The flaw

If you’re curious how the vulnerability works, it’s actually quite clever. The flaw takes advantage of two well-meaning systems built right into MacOS: automount and Gatekeeper. Briefly, automount let you connect external drives and access them right away, rather than having to grant manual access. (Think about how tedious it would be to manually mount a thumb drive every time you inserted it.)

Gatekeeper is a protocol that distinguishes among files downloaded from the internet, files transferred from an external or network drive and files that come from Apple's own Mac App Store. Files downloaded from the internet get passed onto macOS' XProtect antivirus screener to be checked for malicious software, but Gatekeeper leaves files from local drives alone and lets them pass through. This generally makes sense, too; you wouldn’t plug in a USB drive of unknown origins, after all. (We hope.)

Without going into too much technical detail, Cavallarin was able to essentially trick Gatekeeper into thinking that a downloaded ZIP file came from a local-network source. As such, Gatekeeper ignored it, allowing the ZIP to run a malicious hijacking app.

Cavallarin contacted Apple about the flaw back in February, but since Apple did not offer up a fix in a timely manner, he made details of the flaw public in May.

The malware

The flaw is potentially quite dangerous, especially since it’s not very difficult to pull off from a programming perspective. But while OSX/Linker takes advantage of the flaw, it’s not clear whether the Linker is a tremendously dangerous piece of malware by itself.

Intego doesn’t describe exactly what OSX/Linker does, but it’s probably a hijacking script, like Cavallarin’s test program. It’s been uploaded only four times to the online malware repository VirusTotal, and even then, it doesn’t seem like the program was supposed to get very far.

OSX/Linker could be a highly targeted attack, but it could just as easily be a security researcher trying out the flaw for himself to see if he could get it to work. One of the files shares signatures with a Mac adware program called OSX/Surfbuyer, however, so take that for what it’s worth. Either way, you’re not likely to come across OSX/Linker anytime soon unless you go looking for it.

As we said above, there’s no way to mitigate the Gatekeeper flaw entirely, since Apple has not deployed a fix yet. Cavallarin suggests that you could disable automounting (there are instructions in his piece to do so), but it’s just his best guess; it’s not guaranteed to work. This would also make attaching external drives that much more difficult, so weigh your options accordingly.

In the meantime, your best bet is to be very wary about what you download online, and keep your Mac patched whenever new system software becomes available. Of course, you should already be doing those two things; if so, you’re good to go.