Malware on Apple’s MacBook and iMac lines is more prevalent than some users realize; it can even hide in Apple’s curated Mac App Store. But the relatively strong defenses of macOS make it challenging for malware authors to persist long-term on Apple computers, even if they can get an initial foothold. Additionally, the avenues available for lurking on macOS are so well known at this point that technicians and malware scanners can flag them quickly. That’s why more subtle approaches are significant.
At the Virus Bulletin security conference in Montreal on Wednesday, Mac security researcher Thomas Reed is presenting one such potentially dangerous opening. When you launch an app installer in macOS, a program called Gatekeeper checks to see whether the app originated from the Mac App Store, or is cryptographically signed by a developer who has registered with Apple. All legitimate programs have to be “code signed” to establish their validity and integrity. By checking a file’s code signature, Gatekeeper can warn you if a program is malware or if someone has tampered with an otherwise benign installer.
These code signature checks are a vital security step. But Reed, who is the director of Mac and mobile platforms at the security firm Malwarebytes, has noticed that once a program passes a code signature check and gets installed, macOS never rechecks its signature. This means that attackers who buy a legitimate certificate from Apple—or steal one—can potentially trick Mac users into installing their malware. And if it manages to infect other legitimate programs after being downloaded, it could evade detection indefinitely.
“Once you have opened an app, you will never get a code signature check ever again on macOS,” Reed says. “So even if it has been maliciously modified or damaged and the code signature is invalid, the OS will not check it again. That provides a big open window for malware persistence. If the malware can infect some of your apps that are already on disk then it can get in there and stay hidden—you’ll never think to look for it there and it can run in the background without you being any the wiser.”
“A script kiddie could pull off something like this.”
Thomas Reed, Malwarebytes
In some cases, updating an application might trigger a code check or write over any malicious manipulations, but Reed says this isn’t reliable, since many developers only build in a code signature check for the update code and not the base application itself. Reed says that developers could help reduce the potential exposure by building in voluntary periodic code signature checks throughout the life of an app. As a result of this research, Reed himself added code signature verification to Malwarebytes Mac products so they now perform a check every time they launch. “It’s doable,” he says. “It’s an extra step, but it’s not that resource intensive.”
Though some other applications have this feature, Reed says it’s still very rare. Apple could also adjust macOS to more regularly check code signing, but the company did not return a request from WIRED for comment on whether it has any plans to consider the change.
Reed says the issue has been present since OS X Leopard, released in 2007. He notes, though, that advances in how macOS handles permissions and secures different operating system layers could actually help make it easier for Apple to implement code signing validation. The company could cut down on the total number of checks the operating system has to do, for instance, by skipping the system processes that are unalterable even with root access to the device.
Reed hasn’t seen any malware that capitalizes on the opening so far, which he views as an opportunity to raise awareness now about the need for voluntary code checks. As part of his research, Reed tested how difficult it would be to write malware that manipulates other programs to hide inside them; all it took was combining a few development tools he found online.
“Nobody had connected the dots as far as I could see, but it’s pretty easy. The fact that I was able to do it in a few hours means that a script kiddie could pull off something like this,” he says. “And it’s not that there’s a vulnerability in those apps, it’s just that if they’re not doing code signature checks, which most apps don’t, then you can slip your code in there.”