macOS has a number of built-in tools to detect Mac malware, with Background Task Manager added to the defenses last year. However, a security researcher says that this can be trivially bypassed, and that Apple failed to act on his recommendations to fix it.
Patrick Wardle presented his findings at the Defcon hacker conference, making the unusual decision to do so without advising Apple ahead of time …
Apple’s three-layer protection against Mac malware
First, it seeks to prevent installation of malware. It does this by vetting apps in the Mac App Store, and using Gatekeeper with Notarization to ensure that all other apps are signed by a recognized developer.
Second, if malware makes it through this layer, it uses XProtect to recognize malware and block it from running.
macOS includes built-in antivirus technology called XProtect for the signature-based detection and removal of malware. The system uses YARA signatures, a tool used to conduct signature-based detection of malware, which Apple updates regularly. Apple monitors for new malware infections and strains, and updates signatures automatically — independent from system updates — to help defend a Mac from malware infections. XProtect automatically detects and blocks the execution of known malware.
Third, even if malware has run once, Apple seeks to prevent it doing so in future. The company frequently updates XProtect to look for newly identified malware. Additionally, Apple last year introduced a Background Task manager, which looks for the most dangerous form of malware: apps that persist.
Background Task Manager
Some malware executes once, for example to steal personal data, and then quits. But the most dangerous form of malware persists. This form of malware can monitor ongoing user activity, download new elements from an attacker’s server, and more.
Apple seeks to detect this by looking for the installation of new persistent tasks, and notifying both users and third-party security tools running on the Mac. Since many legitimate apps create persistent tasks, you shouldn’t worry if you install a new app from the Mac App Store, or a trusted developer, and receive this alert.
But if an alert comes out of nowhere, that’s a sign that your Mac may have been compromised.
But it can be easily bypassed
Security researcher Patrick Wardle last year notified Apple of a number of faults he discovered with the way this works. He knows a thing or two about the challenges of implementing this type of protection as he’d previously created his own tool to do the same job.
But he told Wired that Apple failed to address the more fundamental issues he discussed with the company.
When Background Task Manager first debuted, Wardle discovered some more basic issues with the tool that caused persistence event notifications to fail. He reported them to Apple, and the company fixed the error. But the company didn’t identify deeper issues with the tool.
“We went back and forth, and eventually, they fixed that issue, but it was like putting some tape on an airplane as it’s crashing,” Wardle says. “They didn’t realize that the feature needed a lot of work.”
Background Task Manager bypasses revealed
Normally, Wardle would only share details of exploits after Apple has fixed them. In this case, however, he says that the Cupertino company seems to have no interest in doing so, and he has thus chosen to share at the Defcon hacker conference the bypasses he discovered.
One of them requires root access to the target Mac, but two others don’t.
Wardle also found two paths that don’t require root access to disable the persistence notifications Background Task Manager is supposed to send to the user and to security monitoring products. One of these exploits takes advantage of a bug in how the alerting system communicates with the core of a computer’s operating system known as the kernel. The other capitalizes on a capability that allows users, even those without deep system privileges, to put processes to sleep. Wardle found that this capability can be manipulated to disrupt persistence notifications before they can get to the user.
He chose this course of action, he says, because Background Task Manager currently offers a false sense of security to users and security companies alike, who may think this aspect of protecting against Mac malware is already in place.
FTC: We use income earning auto affiliate links. More.