Security experts reported that a vulnerability connected with the Gatekeeper authentication feature in macOS, is being exploited to deliver a malicious software package called “OSX/Linker.”
The exploit which was found by the security researcher Filippo Cavallarin, functions thanks to two basic Mac features: automount and Gatekeeper.
According to Tom’s Guide, the Gatekeeper funnels files downloaded from the internet to Apple’s XProtect antivirus screener, however, it grants files from a local storage device — mounted via automount — safe passage without scrutiny.
By bypassing the normal screening protocols, Filippo Cavallarin managed to trick Gatekeeper into thinking that a downloaded file originated from a local drive.
Reportedly, the researcher contacted Apple about the issue in February, but he published details on May 24 since the problem was not fixed.
Gatekeeper authentication in macOS is a tool created to keep malware off Mac, however, because of the vulnerability found by Filippo Cavallarin, it cannot function properly. The accompanying OSX/Linker malware attempts to hijack the Mac to use it for a number of malicious activities – from crytpo mining to data theft.
By now, the code has been uploaded four times to VirusTotal, used by repository experts to detect and share malware samples. As it’s a relatively small amount, the malware is already being screened by Intego software and some other antivirus tools. Thus, it should be quite easy to avoid OSX/Linker, especially if Mac users follow the standard protocols like refusing downloads from unknown sources.
Disabling automounting is another possible option, though it would require Mac users to manually connect and disconnect external drives each time they use them.