Security Bite: Apple-Notarized Malware on macOS

by Anika Shah - Technology
0 comments

MacSync Stealer Bypasses Apple Protections: A Growing macOS Security Concern

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do.Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.


Last week,Jamf Threat Labs published research on yet another variant of the increasingly popular MacSync Stealer family calling attention to a growing problem in macOS security: malware that’s sneaking around Apple’s most notable third party app protections. This new variant was distributed inside a malicious app that was both code-signed with a valid Developer ID and notarized by Apple, meaning Gatekeeper had no reason to block it from launching.

Security Bite: Apple-Notarized Malware on macOS

Historically,Apple’s model has worked quite well. Apps distributed outside the Mac App Store must be cryptographically signed and notarized to open without having users jump through a lot of hoops. But that trust model assumes that signing proves good intent.What we’re seeing now is that attackers are obtaining real developer certificates and shipping malware that looks indistinguishable from legit software at the time of install.

After speaking with multiple people familiar with the matter, there are a few ways threat actors are going about achieving this.In many cases, they’re using a combination of the following:

Signed and notarized malicious apps could be operating with Developer ID certificates that are compromised or even purchased via underground channels, which significantly

Related Posts

Leave a Comment