Cybersecurity researchers at Jamf have identified a serious vulnerability on macOS, which allowed malware to bypass all security measures and access sections that require permission. The exploit is used by XCSSET malware.
Its latest nasty trick involves exploiting that zero-day to record screenshots on the victim’s device. The malware completely avoids detection by macOS by bypassing the permissions prompt and infecting other apps.
While capturing unsolicited screenshots is bad enough, researchers warn that the virus bypasses permissions for the webcam, microphone, and even keystrokes. It can quite literally record everything happening on the computer.
In a recent blog post, Jamf’s researchers explain that the malware is able to write itself into popular apps like Zoom and Slack. It then modifies and signs the app to avoid further detection by the OS. XCSSET specifically looks for apps that have screen-sharing rights from the user.
Unfortunately, the attacks using XCSSET aren’t new. This nasty malware has been causing mayhem since 2020. At the time, TrendMicro’s researchers found out that the malware was infecting Apple Developers’ projects, thus distributing itself directly through the supply chain. Its entry point was Xcode, an official development environment used for creating macOS and iOS apps.
After reaching the end users, XCSSET uses two exploits to inject itself into the Safari browser, replacing the app with the development version and scanning the victim’s cookies for any accounts it can steal. Researchers reported at the time that the malware was even able to fool the brand-new M1 chip and bypass its security measures.
Luckily, Apple has already acknowledged this zero-day and issued an update to macOS that fixes this exploit. If you’ve already updated to macOS 11.4, your device is protected. Still, we advise users to install antivirus for Mac for additional protection. At a time when the world is witnessing a surge in malware and cyberattacks, you can never have too much protection on your computer.