Bugs Allowed Hackers to Make Malware Look Like Apple Software

For years, hackers could hide malware alongside legitimate Apple code and sneak it past several popular third-party security products for Mac computers, according to new research. This is not a flaw in MacOS but an issue in how third-party security tools implemented Apple’s APIs.

A researcher from security firm Okta found that several security products for Mac—including Little Snitch, xFence, and Facebook’s OSquery—could be tricked into believing malware was Apple code, and let it past their defenses.

“I can take malicious code and make it look like it’s signed by Apple,” Josh Pitts, the security researcher at Okta who discovered these bugs, told Motherboard.

In a blog post published Tuesday, Pitts explained that the issue lies with how the third-party security tools implemented Apple’s code-signing APIs when dealing with Mac’s executable files known as Universal or Fat files. Code-signing is a mechanism that checks files to see if they are signed with digital certificate, which should mean that the code is authentic and comes from the firm that signed it. In the case of Apple’s MacOS, if a file is signed by Apple, the computer is programmed to trust it. But Pitts found that he could bundle malicious files with legitimate Apple-signed code and effectively make the malware look like it was signed by Apple. That way, some third-party tools did not detect the malware.

“If your security tools are telling you the file is signed by Apple what are you supposed to do?” Pitts added.

Pitts identified the following security tools as vulnerable: Google Santa, Facebook OSquery, Little Snitch, xFence, Yelp’s OSXCollector, Carbon Black’s Cb Response and several of Objective See’s tools.

The researcher said all of them have patches ready that fix the issue.

A Google spokesperson confirmed that Santa has been patched, and the company credited Pitts for the discovery.

A Facebook spokesperson also thanked Pitts and said the issue was fixed ”in the latest version of OSquery, which is already available for download.”

F-Secure said in a statement that it already pushed an automatic update to xFENCE's stand alone version that fixes the issue.

Yelp sent the following statement: “OSXCollector is a tool used for internal forensics on Mac computers. This vulnerability was responsibly disclosed to us and, as an interim solution, we have disabled the code signing check functionality which can be bypassed by this vulnerability. Yelp's data and users were never at risk due to this vulnerability, but we will disclose this change to other OSXCollector users who may have relied on this functionality. A more comprehensive fix may be released in the future."

Google and Carbon Black did not respond to Motherboard’s request for comment.

Marco Masser, one of the developers of Little Snitch, which is made by Objective Development, published a blog post on Wednesday saying the new version of the software fixes the issue.

Patrick Wardle, the developer of Objective See’s free Mac security tools, said that part of the issue was that Apple’s APIs were “confusing,” an assessment that Pitts agreed with. Apple said the company is in the process of updating its documentation.

“The code signing APIs are a bit confusing, because if you say, ‘please validate this file’ it can say, 'yes, everything looks good'—even if the programs in the Fat file are signed by two different code signers,” Wardle told Motherboard. “If it's signed by Apple, everything will come back OK, even if there is a second program in the file, that is signed by the hacker, that will be the code that is executed, when the file is run.”

If you use any of the security products listed above, patch, patch, patch.

This piece was updated to include Facebook, F-Secure, and Objective Development's comments.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.