Malware has no trouble hiding and bypassing macOS user warnings

Apple works hard to make its software secure. Beyond primary protections that prevent malware infections in the first place, company engineers also build a variety of defense-in-depth measures that are designed to lessen the damage that can happen once a Mac is compromised. Now, a former National Security Agency hacker and macOS security expert has exposed a major shortcoming in one such measure.

The measure presents a confirmation window that requires users to click an OK button before an installed app can access geolocation, contacts, or calendar information stored on the Mac. Apple engineers added the requirement to act as a secondary safeguard. Even if a machine was infected by malware, the thinking went, the malicious app wouldn’t be able to copy this sensitive data without the owner’s explicit permission.

In a presentation at the Defcon hacker convention in Las Vegas over the weekend, Wardle said it was trivial for malware to bypass the warnings by using a programming interface built into macOS to simply click the OK button. The bypass requires only a few lines of extra code. This “synthetic click,” as Wardle called it, works almost immediately and can be done in a way that prevents an end user from seeing the warning.

“The ability to synthetically interact with a myriad of security prompts allows you to do a lot of malicious stuff,” Wardle told Ars. “This privacy and security-in-depth protection can be easily bypassed.”

Unexpected OK

The synthetic clicks are produced by using a macOS interface that converts keyboard key presses into mouse movements. Mouse keys, as the interface is known, lets a user move a mouse up, down, to the right or left, or in diagonal directions by pressing certain keys as diagrammed below:

To Wardle’s amazement, he found by accident that when presenting the alerts, macOS interprets the sending of two mouse-down events as an OK. As a result, he is able to create code that completely bypasses the warnings when doing a variety of things that have serious security and privacy consequences. The bypass works against warnings that protect the accessing of geolocation, contacts, and calendar entries. It also works against warnings displayed when apps want to install “kexts,” which are kernel extensions that interact with the core of the macOS.

Malware often uses these resources to steal sensitive information stored on infected Macs and install kexts. The sneaky Genio adware, DevilRobber currency mining malware, and the insidious Fruitfly malware that stole millions of images from infected Macs over a 13-year period all used synthetic clicks to bypass defense-in-depth warnings.

Apple responded to these in-the-wild wares by making the alerts harder to bypass, but Wardle’s finding exposes a major flaw in that work. The mouse-keys bypass doesn’t work against all warnings. Alerts displayed when malware tries to access the Mac keychain, for instance, still require a user to enter a password. But for reasons that aren’t clear, alerts for kexts and for accessing geolocation, contacts, and calendars are easy to get past. The upcoming Mojave, Wardle said, blocks his bypass, but the change will come at the cost of usability for some users. Representatives from Apple didn’t respond to an email seeking comment for this post.

Wardle, for his part, said the bypass raises questions about how the company rolled out the improvements. “I wasn’t trying to find a bypass, but I uncovered a way to fully break a foundational security mechanism,” said Wardle, who is the developer of the Objective-See Mac tools and Chief Research Officer at Digita Security. “If a security mechanism falls over so easily, did they not test this? I’m almost embarrassed to talk about it.”