New malware can bypass macOS permissions

May 25, 2021 06:58 GMT  ·  By

Last month, security researchers revealed that a notorious malware family exploited a never seen before flaw. The vulnerability enabled macOS security defenses to be bypassed and run unimpeded. There are indicators that macOS might have targeted again in the future.

Jamf claims it has found evidence for a vulnerability that allows XCSSET to have access to parts of macOS that need permission, access to the microphone, camera, or record the screen, without consent.

XCSSET was first found by Trend Micro in 2020 targeting Apple developers, particularly the Xcode projects used to code and create apps. By infecting app development projects, developers unconsciously spread malware to their users in a supply-chain-like attack defined by Trend Micro researchers. The malware is continuously developing, with later versions even aiming at Macs with the new M1 chip.

After the malware runs on the computer of a victim, it uses two zero-day malware. First one is used to steal cookies from Safari and gain access to the victim's credentials. The second one is used to silently install a Safari production version, enabling the attackers to change and snoop on almost any website.

Recently discovered malware can bypass permissions 

Jamf said the malware used an unknown third zero-day to take hidden screenshots of the victim's wallpaper.

Generally speaking, the OS asks for user permission to record the screen, access a microphone or camera that is attached or built-in to the system, or open storage before an application is allowed. However, the malware circumvented permissions by inserting malicious code into legit applications.

In a blog post, Jaron Bradlay, Ferdous Saljooki, and Stuart Ashenbrenner clarified that the malware looks for other applications in the victim's device that also have screen sharing permits, such as Zoom, WhatsApp, and Slack, for example. The malicious code piggybacks the legit application and inherits its allowances from macOS. The malware then signs a new certificate for the app bundle to prevent being banned.

Jamf Protect provides analytics that detects and prevents the potential exploitation of this vulnerability. This is done by testing if a request is bundled with another request. If a match takes place, the digital signatures between the two applications are verified and mismatches are detected effectively during the signing process.

The new macOS patch fixed this problem. Moreover, it is estimated that the patch can also stop malware similar to XCSSET from abusing this vulnerability in the future. The patch is available for macOS 11.4 or later.