An Apple Malware-Flagging Tool Is ‘Trivially’ Easy to Bypass


One of your Mac’s built-in malware detection tools may not be working quite as well as you think. At the Defcon hacker conference in Las Vegas, longtime Mac security researcher Patrick Wardle presented findings today about vulnerabilities in Apple’s macOS Background Task Management mechanism, which could be exploited to bypass and, therefore, defeat the company’s recently added monitoring tool.

There’s no foolproof method for catching malware on computers with perfect accuracy because, at their core, malicious programs are just software, like your web browser or chat app. It can be difficult to tell the legitimate programs from the transgressors. So operating system makers like Microsoft and Apple, as well as third-party security companies, are always working to develop new detection mechanisms and tools that can spot potentially malicious software behavior in new ways.

Apple’s Background Task Management tool focuses on watching for software “persistence.” Malware can be designed to be ephemeral and operate only briefly on a device or until the computer restarts. But it can also be built to establish itself more deeply and “persist” on a target even when the computer is shut down and rebooted. Lots of legitimate software needs persistence so all of your apps and data and preferences will show up as you left them every time you turn on your device. But if software establishes persistence unexpectedly or out of the blue, it could be a sign of something malicious. 

With this in mind, Apple added Background Task Manager in macOS Ventura, which launched in October 2022, to send notifications both directly to users and to any third-party security tools running on a system if a “persistence event” occurs. This way, if you know you just downloaded and installed a new application, you can disregard the message. But if you didn’t, you can investigate the possibility that you’ve been compromised. 

“There should be a tool [that notifies you] when something persistently installs itself, it’s a good thing for Apple to have added, but the implementation was done so poorly that any malware that’s somewhat sophisticated can trivially bypass the monitoring,” Wardle says about his Defcon findings. 

Apple could not immediately be reached for comment.

As part of his Objective-See Foundation, which offers free and open source macOS security tools, Wardle has offered a similar persistence event notification tool known as BlockBlock for years. “Because I’ve written similar tools, I know the challenges my tools have faced, and I wondered if Apple’s tools and frameworks would have the same issues to work through—and they do,” he says. “Malware can still persist in a manner that is completely invisible.”

When Background Task Manager first debuted, Wardle discovered some more basic issues with the tool that caused persistence event notifications to fail. He reported them to Apple, and the company fixed the error. But the company didn’t identify deeper issues with the tool.

“We went back and forth, and eventually, they fixed that issue, but it was like putting some tape on an airplane as it’s crashing,” Wardle says. “They didn’t realize that the feature needed a lot of work.”



Source link