A security researcher has demonstrated how a cybersecurity tool built into macOS can easily be circumvented by “somewhat sophisticated” malware.
Presenting at the recent DEF CON hacking conference, Patrick Wardle outlined a way to bypass the work of the macOS Background Task Management mechanism and stay out of sight while installing even more malware on the target endpoint.
Background Task Management is a built-in tool that has shipped with macOS since October 2023. It monitors installed programs and apps for persistence, which is often a telltale sign of malware. If it finds apps that persist - despite being repeatedly killed - it will notify the user which can then scan the device for potential problems.
Three methods
Wardle found three ways to bypass this tool. One requires having root access to the device which defeats the whole purpose somewhat (if a threat actor already has root access, they can make all kinds of changes). Two, however, don’t require root access and can be used to disable the notifications. One of the ways requires using a bug in the way the alerting system communicates with the kernel. The other leverages the users’ ability to put processes to sleep.
Wardle said he decided to take his findings to DEF CON instead of taking it to Apple, because he already reached out to the company when it first debuted the tool, after finding a few flaws. The company fixed the flaws, but did not address the root cause of the problem.
“We went back and forth, and eventually, they fixed that issue, but it was like putting some tape on an airplane as it’s crashing,” Wardle says. “They didn't realize that the feature needed a lot of work.”
Whether or not Apple fixes the issues remains to be seen. At press time, the company is yet to address the findings.
- Stay protected online with these best endpoint security software
Via: Wired