For years, Mac users have felt a sense of security thanks to Apple’s strict notarization process, a system that ensures an app’s safety. However, a new report from Apple device security experts at Jamf Threat Labs shows that hackers are finding ways to get that official seal of approval for their own malicious tools.
Researchers were able to identify this trick while tracking a software called MacSync Stealer. In the past, attackers relied on “clunky” tricks like drag-to-terminal or ClickFix, which forced users to manually drag files into the Mac’s Terminal or paste coded commands to trigger an infection. The version discovered now is much more dangerous because it removes these manual steps entirely.
Bypassing the Digital Guard
This latest version arrives disguised as a harmless installer for a chat app called ‘zk-call.’ What makes this specific attack so sneaky is that it was code-signed and notarised. This means the hackers used a fraudulent Developer Team ID (GNJLS3UYZ4) to make the Mac believe the software was legitimate.
According to Jamf’s blog post, shared with Hackread.com, the file was even ‘inflated’ with large, useless PDFs to make it look like a heavy, professional application.
Further probing revealed that once you open the installer (specifically a file named zk-call-messenger-installer-3.9.2-lts.dmg), a hidden script starts working in the background. It doesn’t start causing trouble right away, though. “This shift in distribution reflects a broader trend,” the researchers noted, where malware acts more like a “sleeper agent” to avoid detection.
A Patient Thief
What’s interesting is that MacSync Stealer is surprisingly patient. It creates a log file at UserSyncWorker.log to track its own activity. If it sees that it has already run within the last hour (3,600 seconds), it simply goes to sleep. This ‘throttling’ makes it much harder for security software to notice a constant, suspicious flow of data.
The end goal is a direct hit on your privacy because the software specifically hunts for the login.keychain-db. This is the master file where your Mac stores every password you’ve ever saved. To get inside, it may trigger a fake pop-up asking for your system password. So, if you see a random request for your password immediately after installing a new app, it’s a massive red flag.
Apple has since revoked the digital certificate used by these attackers, but the incident shows that a notarised app isn’t always a safe one.