Pirated and trojanized applications frequently abuse legitimate application bundles to subvert core macOS security controls. Unfortunately, this is not an uncommon scenario, as seen with the EvilQuest/ThiefQuest, Shlayer and Silver Toucan/UpdateAgent/WizardUpdate malware families (just to name a few), which frequently leverage masquerading tactics to hide their true nature. Additionally, if a user downloads a pirated application that has also been trojanized, they run the risk of infecting themselves. Software pirates are individuals who illicitly distribute applications like Microsoft Office, popular games (e.g., Fortnite), and productivity software (e.g, Adobe Photoshop) free of charge and usually over peer-to-peer services. Historically, legitimate apps have been the target of adversaries and software pirates alike. Unfortunately this has led to many developers’ apps being pirated or abused.
In this thread, two developers discuss the inherent inability of macOS to protect their applications against tampering (as of Monterey). In fact, this has become such a problem that developers have begun to point this out in Apple’s own developer forums. Subversion on this level has the potential to impact one of macOS’s first layers of defense: Gatekeeper.
In this article, we’ll break down two forms of application bundle manipulation:
In this context, a malicious actor could gain capabilities like privilege escalation and defense evasion. Traditionally, application bundles have been very loosely defined-and one could manipulate them to subvert core macOS security controls. In the world of macOS, apps are, for all intents and purposes, packaged as application bundles.
0 kommentar(er)
