macOS zero-day bypasses webcam, storage access alert prompts – Security
Security researchers have described an ingenious zero-day malware attack that bypassed restrictions in Apple’s macOS operating system that alert users when webcams and microphones on their computers are accessible.
XCSSET malware scanned by security provider Trend Micro [pdf] in August of last year, it infects Apple Xcode software development projects for supply chain attacks.
It actively exploits a zero-day vulnerability to take screenshots of users’ desktops, without asking their permission, JAMF researchers mentionned.
JAMF researchers Stuart Ashenbrenner, Jaron Bradley and Ferdous Saljooki said the exploit could be used by attackers to gain full disk access, screen recording, and other functions that would normally require explicit permissions from from users, in the form of a pop-up prompt.
The malware is able to search for already installed applications, such as Zoom video conferencing software, which users have granted system access permissions.
XCSSET can rely on these “donor apps” to run its own malicious code to access webcams and microphones, without triggering the prompts created by Apple’s Transparency Control and Consent (TCC) framework that would normally alert users of what is happening.
A new aspect of the malware is the way it uses the AppleScript scripting language which can be used to control macOS applications.
“Most of the time, the malware author uses AppleScripts in his attack chain due to the ease with which he handles many bash commands, even downloading and / or running Python scripts in an attempt to hide their intentions through confusing use of various scripting languages, “the researchers wrote.
Apple fixed the vulnerability in macOS 11.4 and added malware detection in its Xprotect software.
It’s unclear which threat actor is behind XCSSET, which has used two more zero days in the past.
An exploit bypassed macOS System Integrity Protection (SIP) to download Safari browser cookies.
A second bypassed permission prompts you to install a developer version of the Safari browser, Trend Micro found.
The last two zero-day exploits were also fixed by Apple in macOS 11.4.
Apple’s top software developer recently raised eyebrows when he testified sworn in the lawsuit against Epic Games that the company’s Mac platform has a level of malware “which we do not find acceptable”.
Federighi said there have been 130 types of Mac malware, with one infecting 300,000 systems.
Still, Federighi thinks the Mac is as secure as it can be in terms of PC-class devices.