OSX/Linker Malware Exploits macOS GateKeeper

Security researchers have discovered a piece of Mac malware called OSX/Linker that can exploit a zero day vulnerability in macOS GateKeeper.

OSX/Linker

On May 24, security researcher Filippo Cavallarin publicly disclosed a vulnerability in macOS GateKeeper. He had contacted Apple about it, and was told it would be fixed within 90 days, but the company missed the deadline and stopped correspondence. Mr. Cavallrin found that macOS treats apps loaded from a shared network resource are treated differently than apps downloaded via the internet.

By creating a symbolic link (or “symlink”—similar to an alias) to an app hosted on an attacker-controlled Network File System (NFS) server, and then creating a .zip archive containing that symlink and getting a victim to download it, the app would not be checked by Apple’s rudimentary XProtect bad-download blocker.

The simpler explanation: This trick makes it easier for malware to infect a Mac—even if Apple has a built-in signature that’s supposed to protect your Mac from that malware.

He posted a YouTube video demonstrating the GateKeeper bypass:

The team at Intego found the first known attempts to use this vulnerability. Four samples of malware were uploaded to VirusTotal. The first one came from an Israeli IP address, and the rest came from an IP in the United States.

Intego’s blog post has more detail, but right now there isn’t an easy solution unless Apple either patches the vulnerability or you can find antivirus that can detect OSX/Linker.

Further Reading:

[Spotify Anti-Trust Argument Questioned by Apple]

[iOS 13: How to Set Apple Books Reading Goals]

Share this post