Cybersecurity (opens in new tab) researchers have shared details about a macOS malware (opens in new tab) strain that found a novel way to bypass privacy protections in order to take screenshots of a victim’s desktop.
Apple's macOS (opens in new tab) relies on the Transparency Consent and Control (TCC) framework, to regulate the use of the computer’s resources, such as the webcam (opens in new tab) and the microphone (opens in new tab), by the installed apps.
Security researchers from mobile device management (MDM (opens in new tab)) firm Jamf discovered the XCSSET malware was exploiting a now-patched zero-day vulnerability in macOS to bypass Apple’s TCC framework.
- Shield yourself with these best identity theft protection services (opens in new tab)
- Check our list of the best firewall apps and services (opens in new tab)
- These are the best endpoint protection tools (opens in new tab)
The XCSSET malware was first discovered in August 2020 (opens in new tab) inside the Xcode integrated development environment (IDE (opens in new tab)) that’s used by developers on macOS to create applications for iPhone (opens in new tab), iPad (opens in new tab), Mac (opens in new tab), Apple Watch (opens in new tab), and Apple TV (opens in new tab).
Piggyback permissions
Thanks to this unique attack vector, legitimate Apple developers unwittingly distributed the malware to their users, in what security researchers opine can be referred to as a supply-chain-like attack.
Crucially, despite being outed, the authors behind the malware have been constantly updating it and more recent variants are designed to target the M1 Macs (opens in new tab).
“When it was initially discovered XCSSET was thought to utilize two zero-day exploits...Diving further still into the malware, Jamf discovered that it has also been exploiting a third zero-day to bypass Apple’s TCC framework,” the Jamf security researchers explained in their analysis.
While dissecting the malware, Jamf researchers found that it searches for other apps on the victim’s computer that are frequently granted screen-sharing permissions.
Once found, it then places a file with malicious screen recording code in the same directory as the legitimate app, in order to inherit the permissions of the legitimate screen-sharing app.
Importantly however, Apple has already patched the vulnerability that made this exploit possible, and urges all macOS 11.4 users to install the fix without delay.
- Protect your devices with these best antivirus software (opens in new tab)
- Get an extra layer of security with a Mac VPN
Via TechCrunch (opens in new tab)
