New malware justifies Apple’s locked-down security strategy

Apple has told us Macs aren’t secure enough and it continues working to improve their security, as it does across all of its platforms. But a newly identified malware attack confirms that third-party developers can sometimes be a weak link in the perimeter.

In this case, Checkpoint security has identified a malware-as-a-service attack it calls Banshee macOS Stealer. 

This insidious attack, which has apparently now been closed down, was spread via seemingly legitimate browser downloads distributed outside of Apple’s Mac App Store. When installed, it was capable of exfiltrating all kinds of information, including account, banking and crypto logins, and more, and was resistant to Apple’s own antivirus protection system, Gatekeeper. (The malware is also available on Windows, but I’m less sure of the degree of risk users on that platform face.

If it’s too good to be true, it’s too good to be true

Here’s what we know:

The software was distributed in infected versions of popular software (such as Chrome or Telegram) via phishing websites and fake GitHub repositories.

When in the field, it targets third-party browsers such as Chrome, browser extensions, and makes use of a 2FA extension to capture sensitive information.

It also tricks users into sharing their passwords with legitimate seeming system prompts, sending stolen data back via command and control servers. 

An attack-as-a-service malware of this kind usually relies on a command server within the exfiltration process, with legitimate-seeming but infiltrated software a method of attack ever since people used to share applications via FTP, and probably before.

None of this is new. Nor is the main attack’s reliance on tricking users. Everyone by now knows that computer users are now and will forever be the weakest link in platform security. Convincing people to download software that is infected is common, and recent attacks from NSO and other reprehensible companies showed that it is still possible to craft attacks that don’t even require user intervention. (Though those are very, very expensive.)

What is new is that those behind the attack used some of Apple’s own anti-virus tools, stealing, “a string encryption algorithm from Apple’s own XProtect antivirus engine, which replaced the plain text strings used in the original version,” according to Checkpoint.

This is what helped the attack evade detection for two months, though it was eventually identified, mitigated, and the operation shut down. Crisis over.

Prevention beats cure

Except the crisis is never really over. 

What this attack exposed is that platforms can be undermined, and while Macs (and Apple’s other products) are — unlike others — secure by design, that doesn’t mean they are infallible.

The introduction of Lockdown Mode demonstrates that Apple knows attacks happen. Within that context, it becomes super-important to ensure every user understands that if software they usually pay for is available free somewhere, they should absolutely avoid installing it. And they should always ensure that legitimate software (such as Chrome) is installed from the original source.

That’s not a problem if you stay within trusted app distribution ecosystems, of course — particularly Apple’s own heavily-policed app stores. But as the company is forced to open up to third-party distribution, that security will be eroded as, at least in some cases, some app developers insist on independent distribution of their software. 

That represents a golden opportunity for malware distributors to try to build legitimate-seeming download sites for these apps. Though it’s possible that Apple’s Notarization system (as it expands) might become an essential tool to protect against this.

While some developers continue to complain about the cost of distribution on Apple’s platforms, it must be stressed that the cost of cybercrime is expected to surpass $10 trillion this year. That means it is in the public interest for app developers — if they really want to play their part to combat cybercrime — to ensure they create and protect secure software distribution systems that do not confuse consumers. 

We all play a part

It’s actually in the national (international) interest. “I think some of the top people predict that the next big war is fought on cybersecurity,” Apple CEO Tim Cook told Time in 2016. 

Software consumers need to play their part. “As cyber criminals continue to innovate, security solutions must evolve in tandem to provide comprehensive protection,” Check Point Research explains. “Businesses and users alike must take proactive steps to defend against threats, leveraging advanced tools and fostering a culture of caution and awareness.”

Despite this attack, the Mac remains the world’s most secure PC platform. One of the easiest ways for anyone to improve their own security posture is to move to Apple’s platforms. And one of the easiest ways to undermine that security is to install dodgy software, no matter how genuine it appears to be. If it seems too good to be true, it’s too good to be true.

So, don’t download it.

You can follow me on social media! You’ll find me on BlueSky,  LinkedIn, Mastodon, and MeWe.