Malware on a Mac that Can Live Forever - Is It Possible?

Posts by: John Ress

A severe flaw in Apple's macOS could enable remote attackers to place malware on a mac, which could potentially stay on it permanently. Even though most Mac owners are told that their devices are malware-proof, but a recent security research proves otherwise.

 

virus malware on a mac screen

Here's the thing:

Apple's solid software defense makes it challenging for malware creators to exist on Apple computers for a long period, even if they have managed to penetrate the system. Additionally, the current paths and patterns that allow attackers to infiltrate into macOS are well known by technicians and malware scanners, which can flag them quickly.

Apparently, it's not the case anymore:

At the last Virus Bulletin Conference in Montreal, a Mac security researcher named Thomas Reed presented a serious security flaw that he had discovered on macOS, which was largely unknown to most Mac users and administrators. The potentially dangerous fault is related to the way macOS handles apps' code signatures.

When an app installer is launched on a Mac, a program called Gatekeeper checks to see whether the app came from the Mac App Store or is carrying a digital signature that confirms the developers behind the app are registered with Apple. By checking the apps' code signatures, Gatekeeper can warn users if an app contains malware.

Reed noticed that once an app or a program passed this code signature check and was installed, macOS would never re-check it again. This security breach means that attackers who purchase an authentic certificate from Apple (or steal one) can trick Mac users into installing their malicious program, which in turn can infect other legitimate programs installed on a Mac. Thus, it can stay hidden and run in the background forever while dodging malware detectors and scanners.

Reed wanted to test how difficult it would be to write malware that manipulates other programs to hide in them. He found that almost anybody can do it, as it only requires some basic scripting and Swift knowledge – something you can learn in just several hours, and that what makes this security issue much scarier.

Reed mentioned that this danger could be reduced by building in additional periodic code signature checks throughout the lifetime of an app. While this step is not so time-consuming, it's still very rare and is hardly found on any macOS apps. Moreover, Apple could adjust macOS to perform regularly code signature checks, but to this moment Apple hasn't reported whether it has any plans to develop such procedure whatsoever, even though the issue was reported back in 2007.

Some aspects of this attack have been seen in the past but the method of modifying a program's code after it was installed represents a new attack vector. Reed, which is the director of Mac and mobile research at Malwarebytes, mentioned he hasn't seen any malware that exploited this breach so far and stressed the importance of adding voluntary code checks to macOS or Mac apps. He stated that his company added a code signature verification to their Mac products, which now perform a check every time they launch.

And it gets even worse:

Reed wanted to test how difficult it would be to write malware that manipulates other programs to hide in them. He found that almost anybody can do it, as it only requires some basic scripting and Swift knowledge – something you can learn in just several hours, and that what makes this security issue much scarier.

So, you might be wondering what you should do:

It is always a good idea to install some sort of Antivirus for Macs just for general peace of mind knowing your device and data are safe and secure. Additionally, try to download only Mac App Store trusted apps that come from sources you're familiar with.