Jamf is a software development firm that provides Mac management solutions and develops applications for iOS and macOS. This firm has made a shocking discovery of a vulnerability in macOS computers that can allow the XCSSET malware to access, without restrictions, those parts of the operating system that usually require permission. The accessible features include a microphone, webcam, and recording the screen without permission.
The XCSSET malware was discovered by Trend Micro Antivirus services last year in 2020. It was found out that this malware targeted Apple Developers and their Xcode projects. Once the incomplete apps were infected the malware would spread to all those using, coding, or testing these apps. Trend Micro described this strategy as Supply Chain Attack, which meant that the malware did not attack the end-users in the initial phase but rather focused on app installers and disguised itself within. This malware has been updated regularly with newer variants found across the globe targeting the M1 chip Apple devices as well.
How does the XCSSET malware work?
Trend Micro describes the functioning of the malware on the victim’s computer as two zero days. The first day is to hack into the Safari browser and obtain all the cookies using which the hacker can access all the user’s online accounts. The second zero-day is used to install a development version of the Safari browser which allows the hackers to control access on any website. However, Jamf has discovered that there existed a third zero-day that allowed the attacker to take screenshots of the user’s screen without him/her knowing about it.
Jamf researchers Jaron Bradley, Ferdous Saljooki, and Stuart Ashenbrenner have further explained that this malware looks for already installed applications on the victim’s computer that have screen sharing permissions. Once identified, this malware injects screen recording code into those apps which then functions as a piggyback ride. The most popular apps include Zoom, Slack, and WhatsApp that unknowingly share their permissions on macOS with this malware. The XCSSET malware also signs a new app bundle certificate which helps it to avoid getting flagged by macOS security.
In an ideal scenario, the macOS is designed to obtain permission from the user before it grants access and rights to any application. This includes recording the screen, using the webcam microphone and storage. However, this malware was capable of bypassing those permissions as it used the piggyback concept of hoping for a ride to escape the radar with legitimate software.
Finally, Jamf also reported that although their findings included the fact that the malware was capturing screenshots of the victim’s desktop, it could be programmed to far more than that. This malware can access the user’s webcam, microphone, keyboard strokes and capture all the personal data of the user.
Apple has confirmed that their latest update will fix this bug in macOS 11.4 which has already started rolling out to users