Hackers bypass Gatekeeper to expose malware as legitimate apps for Macs

Hackers bypass Gatekeeper to expose malware as legitimate apps for Macs

cone - Gatekeeper

One of the protection techniques that Apple offers its Mac users is Gatekeeper. Presented in 2012 on OS X 10.8 Mountain Lion (learn more about it here), it is a feature that limits the running of operating system apps to only those that have been certified by the company through its developer program and can be distributed on channels third parties via digital signature or the Mac App Store.

This is not a great malware attack, but it has always met a critical security point in OS X, which is in obtaining third-party apps: after all, imposing an App Store in the same way that on iOS would be impractical for Macs . Unless you turn it off, you can count on it as a device to neutralize social engineering attacks that trick users into malicious downloads or from unsecured connections, validating the package signature.

However, there are some design limitations in Apple's approach that make Gatekeeper easy to get around. Patrick Wardle, a researcher at Synack, told theArs Technica regarding a test method that allows you to use a legitimate application to access other executables and malicious files without violating the OS X code signing rule.

Basically, Gatekeeper does nothing more than validate the signature of the executable portion of an application on its first use; from then on, the system starts to trust completely what is done by it. But certain applications run code snippets on files developed separately by third parties (a Photoshop with plugins, for example). So if you encapsulate one of these apps in a location where files of this nature have been maliciously modified, the system will not validate the new trust relationships.

The scenario was demonstrated by Wardle in Prague, during a hacking conference. Through it, it would be possible to distribute malicious applications with code that can perform various functions locally with the same privileges as the original product. As the signed software can be trusted, its auxiliary files would have no limitations to be called during its operation.

According to Wardle, Apple is already working to resolve this limitation in protecting the Gatekeeper. This is not a high-impact exploitation possibility for most Mac users, but anyone who needs to run software without the OS X digital signature protection needs to be aware of what they can download from the internet, while the case is not closed.