Hackers can exploit Mac’s Malware Gatekeeper tool with a new exploit and install malicious apps

In 2012, Apple had introduced Gatekeeper as an added layer of security to its Mac OS X desktop operating system. This feature was designed to keep even the most advanced users from accidentally installing malicious software on their computers. Gatekeeper checks the digital certificate of an application that is being installed on a Mac to make sure that it has been signed by an approved developer, or the download comes directly from the Apple App Store.

However, it has been found that Gatekeeper allows hackers sneak malware onto your Mac by completely bypassing the famous Mac security. Using specially crafted exploit, cyber attackers are able to open malicious Mac app, even if it is configured to open only those downloaded from App store.

The exploit was discovered by Patrick Wardle, director of research at security firm Synack. Wardle found that the exploit is made possible thanks to a key design shortcoming in Gatekeeper that allows an attacker to use a binary file already trusted by Apple to execute malicious files.

Wardle has found a widely available binary that’s already signed by Apple, which upon execution runs a separate app located in the same folder. Due to security concerns, the names of files have not been disclosed. Therefore, lets call them Binary 1 and Binary 2.

What the Gatekeeper hack exploit does is simple, it renames Binary 1 and then packages it inside an Apple disk image. Since the renamed Binary 1 is already signed by Apple itself, it will immediately be approved by Gatekeeper and be executed by OS X.

After gaining access to core OS, Binary 1 will search for Binary 2 located in the same folder, which in this case is the downloaded disk image. As the Gatekeeper checks only the original file an end user clicks on, Wardle’s exploit swaps out the legitimate Binary 2 with a malicious one and bundles it in the same disk image under the same file name. Since, Binary 2 needs no digital certificate to run, it can install anything the attacker wants.

A similar method also works with plugins (say, Photoshop add-ons) which can bypass Gatekeeper: Find an app that loads plugins, substitute your malware for one of those plugins and again Gatekeeper pays no attention.

These bundled files can install varied types of malware, including password loggers, apps that can capture audio and video, and botnet software.

Gatekeeper hack exploit works on all Mac OS X versions including El Capitan and Yosemite. Wardle stated that he was successfully able to test his exploit on the beta version of El Captain.

Talking about security and privacy, Patrick Wardle made a good point by saying that:

“If I can find it, you have to assume groups of hackers or more sophisticated nation states have found similar weaknesses. I’m sure there are other Apple-signed apps out there that can also be abused to bypass Gatekeeper.”

Wardle says that the vulnerability was reported 60 days ago and has plans to present his findings at the Virus Bulletin International Conference on Thursday in Prague. Meanwhile, Apple is aware of the flaw and is working on a patch to fix the underlying cause. Though its not clear when the fix will arrive, the only advice until then would be to get apps only from those sources you can trust.


Please enter your comment!
Please enter your name here