The Gatekeeper feature in macOS is designed to protect your Mac from malware and other malicious software. While it does a good job overall, it’s important to understand that it is not foolproof. Cybercriminals are constantly coming up with new ways to bypass security measures, so staying vigilant is key.
One recent example of this is a new variant of the MacSync Stealer malware. This variant uses a code-signed Swift application to trick macOS Gatekeeper into thinking it’s a legitimate app from an Apple-approved developer. By exploiting the notarization system used by Apple, the malware is able to evade detection and appear as a safe installer for an app called “zk-Call & Messenger.”
This new tactic is more sophisticated than previous versions of MacSync Stealer, which relied on social engineering tactics to deceive users. The installer app appears legitimate as it has been code-signed, notarized, and linked to a verified Apple Developer account. To further deceive users, the file size has been inflated with extra files to make it look more genuine.
Once the installer is run on a Mac, it downloads a malicious payload from a server and installs it on the system. The malware is designed to steal sensitive data such as passwords, cryptocurrency wallets, and more. The main difference with this new variant is its delivery method, which bypasses macOS defenses.
Malware authors are constantly evolving their tactics to infect more machines. This two-stage attack method makes it harder to detect the malware during the notarization process. While Apple has taken steps to revoke the associated certificate, users need to be cautious about what they install and where they download files from.
For Mac users, practicing good digital hygiene is essential for staying safe online. Stick to trusted sources like the Mac App Store or reputable developers when downloading software, and always be cautious of suspicious files or emails.
