Apple patches Gatekeeper bypass bug abused by malware gang

On Monday, Apple has released macOS Big Sur 11.3 with a security fix for a vulnerability that was being abused by a malware gang to bypass the operating system's security checks.

Discovered by security researcher Cedric Owens, the vulnerability, tracked as CVE-2021–30657, allows a maliciously designed application to bypass Gatekeeper, a macOS security feature that blocks apps from running unless they've been signed with a valid Apple-issued certificate and have passed an automated review process called "app notarization."

In a blog post on Medium, where he detailed the vulnerability, Owens said he found a novel method of packaging unsigned macOS applications in a way that would trick Gatekeeper into thinking the application has been notarized and signed and would allow the app to run without triggering any security warning.

Kudos to Apple for quickly fixing the bug I reported to them. Here is my blog that delves into how I weaponized this bug with a payload: https://t.co/Bj8bQbpLx5. Thanks @patrickwardle for helping dive into the vuln as well pic.twitter.com/tnMo3is0K8

— Cedric Owens (@cedowens) April 26, 2021

Owens also asked Patrick Wardle, one of today's leading macOS security experts, to verify his findings. In his own blog post, Wardle confirmed Owens' technique but also said he found malware samples that were being distributed in the wild that were actively using the same app packaging technique.

macOS security firm Jamf also confirmed Wardle's discovery.

According to Jamf, a malware strain named Shlayer was seen abusing this technique since early March, about the same time that Owens discovered the bug.

Making matters worse, Shlayer is not any mundane threat that gets rarely spotted, but today's most encountered macOS malware strain.

According to security firm Kaspersky, every one in ten macOS malware detections in 2019 was for Shlayer, a trojan that infects macOS systems via boobytrapped apps and acts as a "loader" for other malware gangs.

While in previous campaigns the Shlayer trojan has been seen deploying adware as a second-stage payload, Jamf warns Apple users not to sleep on this threat, as it could easily deliver more advanced threats, such as spyware and even ransomware.

Furthermore, Apple users should be aware that Shlayer is a very advanced malware operation. Evidence stands its large install base, rapid development cycle, and the fact that its operators were able to discover the CVE-2021–30657 Gatekeeper bypass independently of Owens.

macOS users are advised to update their systems as soon as possible, especially if they like to download and test/install apps on a regular basis.

In a Twitter conversation earlier this month, Wardle described the vulnerability to The Record as "the worst macOS bug in recent memory."

Apple told The Record that applying yesterday's macOS update should fix the issue. The OS maker said that while the bug allowed malware to bypass Gatekeeper checks for notarization and code signing requirements, the bug did not allow the malware to evade XProtect, the macOS malware scanner, for which the malware would have required to deploy additional code and bypasses.