Apple is again letting Mac malware in the App Store

Apple has approved Mac malware for the App Store for the second time in just six weeks. Admittedly, the malware from the OSX/MacOffers family (or MaxOfferDeal) was once again well hidden. But the new case shows how in-depth apps need to be scrutinized to rule out malware and keep the App Store as secure as it's supposed to be for Apple users. In this post you will find details on the current case as well as a link to a detailed look at the Trojanssoftware for macOS.

The Trojan horse from the App Store can be in the form of a Flash Player Installer at the gates of your Apple Mac. You can read here how the OSX / MacOffers malware manages to get past Apple into the store.

The Trojan horse from the App Store can be in the form of a Flash Player Installer at the gates of your Apple Mac. You can read here how the OSX / MacOffers malware manages to get past Apple into the store.

The new OSX / MacOffers malware is difficult to spot

The Mac App Store, like the iOS App Store, should be a reliable source for software. Whether Mac, iMac, MacBook, iPhone, Apple Watch, iPad or iPod touch - the apps offered should offer a great user experience. But like Intego at this point shows, Apple could not keep this promise. Half a dozen Trojans were smuggled in by bypassing the checking mechanisms and bypassing the security check.

As Intego reports, VirusTotal does not detect the new malware from the OSX / MacOffers (or MaxOfferDeal) family. All six disk image files (.dmg) and the first-level Trojan horse application had a 0% detection rate for VirusTotal when they were first uploaded between October 6 and October 13. In the meantime, a sample from the second stage has only been detected by 4 of VirusTotal's 60 antivirus engines.

Tampered JPEG file contains Mac malware

The new malware uses a technique called Steganography (secret writing) to hide their malware pieces in a separate JPEG image file. That's probably why the malware was able to go through Apple's authentication process. In the current case, the application contained a JPEG file on the disc image, which at first glance appears normal and harmless. However, it contains a Base64-encrypted ZIP archive, which in turn contains the actual malware.

According to Intego, this procedure, i.e. steganography, has been observed several times in the past. As early as 2011, malicious software found its way into the Mac App Store in this way - in the form of “MacDefender” fakes. However, some cases of this procedure were also observed in 2019. The dangerous thing about it: If Apple allows the software loaded in the App Store, it can be installed or started simply by double-clicking. In contrast to apps downloaded from the Internet, which sometimes have multiple warnings and notes popping up. 

How does OSX / MacOffers get on the Apple Mac?

The Intego report linked above shows how the malware was smuggled onto the Apple Mac via a supposed “Adobe Flash Player” download. Apparently, users are downloading a Flash Player Installer that contains a disk image in DMG format. Once started with a double click, this image of a storage medium is mounted and started. This also exposes the JPEG file and unzips the ZIP archive it contains.

It should be clear to everyone that no reputable website will require or actively offer the download of Adobe Flash Player in 2020 (e.g. by linking to the App Store or the Adobe website). The Flash Player will be completely crushed at the end of the year. Some web browsers no longer support it at all. You can find details on this in this post from 2017: Flash Player Plugin expires in 2020 - Adobe announces "End-of-Life". 

News from June 2020: Malware disguised as a Flash Installer

Further details can be found in the Intego article linked above. You can find a test of the antivirus software from this provider here: Intego Mac Internet Security X9 put to the test.

Inquiry to Intego - does the Anti-Virus find this pest?

Out of interest, I once asked Intego whether their program "Mac Internet Security X9"The malware would also have found it if it was stuck in software that is installed via the App Store.

Hi Jens, of course we detect it as any kind of suspicious file ;-) notarized or not, we're analyzing the file code and decide if it's a malware or not. So Apple notarized apps are not safe from being infected by a malware. Regards, Jack

Even if I personally still on the go without anti-virus software am, when you hear such reports, the thought sometimes arises whether you should book one after all.


Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership or at Patreon would support.

Leave a Comment

Your e-mail address will not be published.