New Mac Malware Breezes Past Gatekeeper Because It’s Signed By An Apple Developer ID

7754251176_566f22570f_z

A new Mac malware has been found in the wild that allowed attackers to steal data and install unauthorized apps on a compromised machine. What makes this malware different than other recent Mac malware, though, is that it breezes right past Gatekeeper… and the people behind it might have been gunning for the life of their malware victim.

Known security researcher and privacy activist Jacob Applebaum discovered the malware — which is being called OSX/KitM.A by Finnish antivirus firm F-Secure — on the laptop of a human rights activist at the Oslo Freedom Forum earlier this week.

KitM.A got on the machine as a result of a spear phishing attack, which is a phishing attack in which specific individuals (instead of a wider range of victims) are targeted. The malware takes screenshots of what is happening on the Mac amd sends them to servers in the Netherlands. It can also download and install other malware, executing commands on behalf of attackers and manipulating the network activity monitor so that its presence remains undetected.

What’s so interesting about this specific malware is that it was signed by a valid Apple Developer ID. This means that it just blew past Gatekeeper, OS X Mountain Lion’s anti-malware firewall that is supposed to keep out just this sort of program. But it also means that Apple can just revoke the app’s certificate, killing it instantly on all computers with Gatekeeper turned on. And hopefully, it means that the attackers behind this particularly insidious form of malware can be tracked down and prosecuted, because they’ve left a signature: their own Apple Developer ID.

Applebaum said that he may publish more details on the attack once he ascertains the threat to the victim’s life. Someone was gunning for him, after all, and given what’s going on in Angola these days, that’s a sensible precaution.

Related
  • Wirehedd

    So how about releasing the identity of the “valid Apple Developer” who supposedly released this malware.I’d be interested to know who it was or who had access tro his ID to release this.

    Of course, there is the chance that this may not be a case of bad developer as much as it may be a case of “stupid developer policy” that can be exploited in nasty ways, right? :)

  • joewaylo

    My guess: The developer shared his Apple ID with someone which is a violation of TOS. That particular someone is setting him up to take a very big fall.

About the author

John BrownleeJohn Brownlee is a Contributing Editor. He has also written for Wired, Playboy, Boing Boing, Popular Mechanics, VentureBeat, and Gizmodo. He lives in Boston with his wife and two parakeets. You can follow him here on Twitter.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News | Tagged: , , , , , |