A macOS Gatekeeper vulnerability discovered by a security researcher last month has now been exploited in what appears to be a test by an adware company.
Gatekeeper is designed to ensure that Mac apps are legitimate by checking that the code has been signed by Apple. Any app failing that check shouldn’t be allowed to install without the user acknowledging the risk and granting explicit permission to proceed …
However, security researcher Filippo Cavallarin last month drew attention to a problem with this.
Gatekeeper’s functionality can be completely bypassed. In its current implementation, Gatekeeper considers both external drives and network shares as “safe locations.” This means that it allows any application contained in those locations to run without checking the code again. He goes on to explain the user can “easily” be tricked into mounting network share drive, and that anything in that folder can then pass Gatekeeper.
So one signed app can be used to authorize other unsigned ones.
Cavallarin acted responsibly in giving Apple 90 days to fix the vulnerability before disclosing it, but says that the company failed to do so and stopped responding to his emails.
The exploitation of the macOS Gatekeeper vulnerability
Security company Intego now says that it has discovered an example of this vulnerability being exploited, seemingly as a test by an adware company.
Early last week, Intego’s malware research team discovered the first known uses of Cavallarin’s vulnerability, which seem to have been used—at least at first—as a test in preparation for distributing malware.
The original mechanism Cavallarin identified was via a zip file, but the sample malware found instead used a disk image.
It seems that malware makers were experimenting to see whether Cavallarin’s vulnerability would work with disk images, too.
The disk image files were either an ISO 9660 image with a .dmg file name, or an actual Apple Disk Image format .dmg file, depending on the sample. Normally, an ISO image has a .iso or .cdr file name extension, but .dmg (Apple Disk Image) files are much more commonly used to distribute Mac software. (Incidentally, several other Mac malware samples have recently been using the ISO format, possibly in a weak attempt to avoid detection by anti-malware software.)
Intego observed four samples that were uploaded to VirusTotal on June 6, seemingly within hours of the creation of each disk image, that all linked to one particular application on an Internet-accessible NFS server.
Identifying the culprit
Intego says there is good reason to suspect the test was performed by the developers of the OSX/Surfbuyer adware.
The disk images are disguised as Adobe Flash Player installers, which is one of the most common ways malware creators trick Mac users into installing malware. The fourth OSX/Linker disk image is code-signed by an Apple Developer ID—Mastura Fenny (2PVD64XRF3)—that has been used to sign literally hundreds of fake Flash Player files over the past 90 days, associated with the OSX/Surfbuyer adware family.
The company says the example spotted didn’t do anything other than create a temporary text file, lending weight to the idea this was just a test, and the files have since been removed from the server, but that could quickly change.
Because the .app inside the disk images is dynamically linked, it could change on the server side at any time—without the disk image needing to be modified at all. Thus, it’s possible that the same disk images (or newer versions that were never uploaded to VirusTotal) could later have been used to distribute an app that actually executed malicious code on a victim’s Mac.
Intego has reported the Apple Developer ID to Apple so that the company can revoke the certificate.
As always, best practice is to only download apps from the Mac App Store and other sources you explicitly trust, noting that this vulnerability would allow a bad actor to supply malware alongside a legitimate app.