Chapter in this post:
Apple has approved Mac malware for the App Store for the second time in just six weeks. Admittedly, the malware from the OSX/MacOffers family (or MaxOfferDeal) was once again well hidden. But the new case shows how in-depth apps need to be scrutinized to rule out malware and keep the App Store as secure as it's supposed to be for Apple users. In this post you will find details on the current case as well as a link to a detailed look at the Trojanssoftware for macOS.
The Mac App Store, like the iOS App Store, should be a reliable source for software. Whether Mac, iMac, MacBook, iPhone, Apple Watch, iPad or iPod touch - the apps offered should offer a great user experience. But like Intego at this point shows, Apple could not keep this promise. Half a dozen Trojans were smuggled in by bypassing the checking mechanisms and bypassing the security check.
As Intego reports, VirusTotal does not detect the new malware from the OSX / MacOffers (or MaxOfferDeal) family. All six disk image files (.dmg) and the first-level Trojan horse application had a 0% detection rate for VirusTotal when they were first uploaded between October 6 and October 13. In the meantime, a sample from the second stage has only been detected by 4 of VirusTotal's 60 antivirus engines.
The new malware uses a technique called Steganography (secret writing) to hide their malware pieces in a separate JPEG image file. That's probably why the malware was able to go through Apple's authentication process. In the current case, the application contained a JPEG file on the disc image, which at first glance appears normal and harmless. However, it contains a Base64-encrypted ZIP archive, which in turn contains the actual malware.
According to Intego, this procedure, i.e. steganography, has been observed several times in the past. As early as 2011, malicious software found its way into the Mac App Store in this way - in the form of “MacDefender” fakes. However, some cases of this procedure were also observed in 2019. The dangerous thing about it: If Apple allows the software loaded in the App Store, it can be installed or started simply by double-clicking. In contrast to apps downloaded from the Internet, which sometimes have multiple warnings and notes popping up.
The Intego report linked above shows how the malware was smuggled onto the Apple Mac via a supposed “Adobe Flash Player” download. Apparently, users are downloading a Flash Player Installer that contains a disk image in DMG format. Once started with a double click, this image of a storage medium is mounted and started. This also exposes the JPEG file and unzips the ZIP archive it contains.
It should be clear to everyone that no reputable website will require or actively offer the download of Adobe Flash Player in 2020 (e.g. by linking to the App Store or the Adobe website). The Flash Player will be completely crushed at the end of the year. Some web browsers no longer support it at all. You can find details on this in this post from 2017: Flash Player Plugin expires in 2020 - Adobe announces "End-of-Life".
News from June 2020: Malware disguised as a Flash Installer
Further details can be found in the Intego article linked above. You can find a test of the antivirus software from this provider here: Intego Mac Internet Security X9 put to the test.
Out of interest, I once asked Intego whether their program "Mac Internet Security X9"The malware would also have found it if it was stuck in software that is installed via the App Store.
Hi Jens, of course we detect it as any kind of suspicious file ;-) notarized or not, we're analyzing the file code and decide if it's a malware or not. So Apple notarized apps are not safe from being infected by a malware. Regards, Jack
Even if I personally still on the go without anti-virus software am, when you hear such reports, the thought sometimes arises whether you should book one after all.
Jens has been running the blog since 2012. He appears as Sir Apfelot for his readers and helps them with problems of a technical nature. In his free time he drives electric unicycles, takes photos (preferably with his iPhone, of course), climbs around in the Hessian mountains or hikes with the family. His articles deal with Apple products, news from the world of drones or solutions for current bugs.