macOS Security Breach: Malware Bypasses Defenses

macOS Security Flaw Allowed Malware to Bypass Protections

For years, Apple has been consistently strengthening the security infrastructure of macOS to mitigate the risk of malware intrusions. However, a recently identified vulnerability allowed malicious applications to circumvent the majority of macOS’s newer security safeguards with a simple double-click – a scenario that Apple intended to prevent.

Compounding the issue, evidence indicates that a well-known family of Mac malware had been actively exploiting this security gap for several months prior to Apple releasing a patch this week.

Evolution of macOS Malware Defenses

macOS has progressively incorporated mechanisms to counter prevalent malware types by introducing technical barriers. Specifically, the operating system flags applications downloaded from the internet that are potentially harmful and disguised as legitimate documents.

Furthermore, if an application hasn't undergone Apple’s review process – known as notarization – or if its developer is unrecognized, the app requires explicit user permission before it can execute.

The Discovered Vulnerability

Security researcher Cedric Owens discovered a bug in mid-March that effectively bypasses these security measures, enabling a malicious application to run without restriction.

Owens explained to TechCrunch that the flaw permitted the creation of a potentially malicious application that appears as a harmless document. Upon opening, this application circumvents macOS’s inherent defenses.

“A user only needs to double-click – no prompts or warnings from macOS are generated,” Owens stated. He demonstrated the bug’s functionality by creating a proof-of-concept application disguised as a document that launched the Calculator app, proving the bypass without deploying actual malware. However, he cautioned that a malicious actor could leverage this vulnerability to gain unauthorized access to a user’s sensitive information by deceiving them into opening a fraudulent document.

Apple’s Response and Remediation

Concerned about the potential for exploitation, Owens promptly reported the vulnerability to Apple.

Apple confirmed to TechCrunch that the bug was addressed in macOS 11.3. Additionally, earlier macOS versions were patched to prevent abuse, and updated rules were deployed to XProtect, macOS’s integrated anti-malware engine, to block malware exploiting the vulnerability.

Technical Explanation of the Bug

At the request of Owens, Mac security researcher Patrick Wardle investigated the root cause of the bug. In a detailed blog post, Wardle elucidated that the vulnerability stems from a logical error within macOS’s core code.

This error resulted in macOS misclassifying certain application bundles and consequently skipping essential security checks, allowing Owens’ proof-of-concept application to run without interruption.

Essentially, macOS applications are comprised of multiple files bundled together, including a property list file that specifies the locations of dependent files. Owens discovered that removing this property file and structuring the bundle in a specific manner could trick macOS into opening the bundle and executing the contained code without triggering any warnings.

Wardle characterized the bug as effectively nullifying macOS’s security features. He affirmed that Apple’s security updates have resolved the issue. “The update now correctly identifies applications as bundles, ensuring that untrusted, unnotarized applications are blocked, thereby protecting the user,” he explained.

Evidence of Prior Exploitation

Leveraging their understanding of the bug, Wardle collaborated with Mac security firm Jamf to determine if the vulnerability had been exploited before Owens’ discovery.

Jamf’s detections, led by Jaron Bradley, revealed that a sample of the Shlayer malware family was exploiting the bug as early as January, several months prior to Owens’ report. Jamf also published a technical analysis of the malware.

Shlayer Malware and its Tactics

“The malware we identified utilizing this technique is an updated iteration of Shlayer, a malware family initially discovered in 2018. Shlayer is recognized as one of the most prevalent forms of malware on macOS, and we have developed numerous detections for its various strains, closely monitoring its evolution,” Bradley stated.

“Our detection system alerted us to this new variant, and upon further investigation, we confirmed its use of this bypass to enable installation without requiring user confirmation. Our analysis suggests that the malware developers discovered the zero-day vulnerability and adapted their malware to exploit it in early 2021.”

Shlayer is classified as adware that intercepts encrypted web traffic – including connections to HTTPS-enabled websites – and injects its own advertisements, generating illicit revenue for its operators.

“It is frequently disseminated by deceiving users into downloading counterfeit application installers or updaters,” Bradley explained. “This version of Shlayer employs this technique to evade built-in malware scanning and launch without prompting the user for confirmation.”

“Notably, the author has repurposed an older version of the malware and modified it to bypass macOS security features,” Bradley added.

Wardle has also released a Python script to assist users in detecting any potential past exploitation.

This is not the first instance of Shlayer circumventing macOS’s defenses. Last year, Wardle and Peter Dantini discovered a Shlayer sample that had been inadvertently notarized by Apple, a process where developers submit their applications for security review to enable seamless execution on millions of Macs.