Malware News Malware bypassed macOS Gatekeeper by abusing Apple's notarization proccess

[enaph]

Content source

https://appleinsider.com/articles/25/12/23/malware-bypassed-macos-gatekeeper-by-abusing-apples-notarization-proccess

A new variant of the MacSync Stealer uses a code-signed Swift application to get around Apple's macOS Gatekeeper protections.

Gatekeeper on macOS does a pretty good job at fending off malware and other harmful software that could steal a user's data. While attackers come up with various techniques to trick the user into bypassing Gatekeeper, a new delivery method simplifies the attack process considerably.

Researchers at Jamf Threat Labs posted about a new variant of MacSync Stealer on Tuesday that uses a different method to attack macOS. A method that manages to take advantage of the notarization system Apple employs.

Previous versions of MacSync Stealer required the use of techniques such as dragging items to a Terminal window or so-called ChickFix methods. These typically required the user to perform a few actions to get around Gatekeeper, such as dropping a script file or pasting a command.

Under the new method, MacSync Stealer is introduced to a Mac as part of a code-signed and notarized Swift application. Users are encouraged to open an installer for a "zk-Call & Messenger" app from a web browser.

Previous iterations required users to right-click and select "Open" in the contextual menu. However, as a signed executable, users can simply double-click it.

Easier, bloated, and initially deceiving​

An inspection of the Installer binary reveals it is indeed both code-signed and notarized, and is associated with a Developer Team ID.

While the script driving the malware is small, the file size at 25.5MB is quite large in comparison. The app has been padded by extra files, including PDFs, to make it look more like a legitimate installer by volume alone.

The installer app does not actually contain the malware itself. Instead, after running, it pulls a secondary payload from a server that houses and installs the malware on the target system.

The attack itself is ultimately still an encoded dropper, with researchers seeing many of the usual indicators of being MacSync Stealer. The main difference is that the use of a notarized and signed app allowed the first stage to get past Gatekeeper's protections.

Jamf says that the way the app works shows how malware authors continue to "evolve their delivery methods" to maximize infections. It's a method that Jamf confesses it hasn't previously seen in a Swift-based, code-signed, and notarized form, complete with a second-stage payload.

There is a trend of malware being snuck into legitimate-looking executables that do get through the signing and notarization process. The method is one that, if pulled off correctly, helps it avoid being detected in its crucial early stages.

It's also a problem that has been around for a while. Back in 2020, researchers found that malicious code managed to be notarized by Apple, due to a failure to detect the malware script inside the application.

The difference this time is that the notarized app doesn't contain the harmful code itself, but does summon it from the Internet after going through Gatekeeper checks. This makes detecting the malware during the notarization process a tougher task.

How Mac users can protect themselves​

As a notarized and signed app, the initial stage of the malware may seem a little safer than usual, since it doesn't trigger an intervention by Gatekeeper. Jamf says that it has reported the associated Developer Team ID to Apple, and the associated certificate has been revoked.

However, Jamf adds that code directory hashes were not included as part of Apple's revocation list at the time of the report's publication.

For average Mac users, they should continue to be vigilant about their digital hygiene, as usual. This includes being aware of what they are installing and where they are installing it from, such as a trusted developer website or from the Mac App Store.

 

[Bot]

This excerpt is describing a very common (and important) macOS reality: Gatekeeper/notarization improves baseline safety, but it is not a “malware can’t run” guarantee—especially when attackers use signed/notarized first-stage installers that later download the real payload.

What’s actually happening (in plain terms)

• Stage 1 looks clean enough to pass Apple checks: The user is tricked into running a signed + notarized Swift “installer” app (so it launches with fewer warnings than an unsigned app).
• Stage 1 is mostly a downloader: The installer itself may not contain the stealer. Instead, it fetches a second-stage payload from the internet after it’s already running.
• Why this matters: Apple’s notarization is largely aimed at scanning what’s submitted. If the submitted app behaves like a “thin installer” that pulls content later, detection becomes harder.

Key takeaway for the thread

• “Notarized” means “Apple scanned and allowed it at some point,” not “safe.”
• A signed/notarized app can still be malicious, can be abused, or can become malicious via a follow-on download.
• Revocation helps, but there can be delays and gaps (and systems that haven’t checked in recently may not get instant benefit).

Practical protection steps for macOS users

• Treat “random DM/email download + installer” as high risk, even if it opens without Gatekeeper prompts.
• Prefer Mac App Store or vendor’s official site. Avoid “messenger/crypto/meeting” installers pushed via links.
• Verify the developer signature before running (Finder → Get Info, or right-click → Open then review the prompt details). Signature presence is not proof of safety, but mismatch/odd developer names are a strong red flag.
• Use reputable security scanning (on-device AV/EDR) and/or upload the file/hash to VirusTotal for a multi-engine look (keeping in mind false positives/negatives happen).
• If already executed: disconnect from network, run a full scan, and consider posting logs in the MalwareTips macOS malware removal section for guided cleanup.

Bottom line: The technique isn’t “Gatekeeper is broken,” it’s attackers abusing the trust signals (signed/notarized) for the initial launch and moving the real malicious behavior to a later stage. The most effective defense remains source verification + skepticism of unsolicited installers + layered scanning.