> It's a good reminder to get your software from trustworthy sources, like developers whose code is "signed" by Apple to prove its legitimacy, or from Apple's App Store itself.
Just because an application is signed with a developer ID is little guarantee that it’s trustworthy. And stuff from the App Store won’t hold your Mac up for ransom, but fairly concerning software has slipped past review.
Your computer might also be struck by a meteor, but it's pretty unlikely.
People are poor at evaluating risk, especially outside their areas of expertise. Getting software only from reputable sources is an EXCELLENT way to avoid malware. I'm not sure what your comment adds here.
Your computer might be struck by a meteor, but Apple has removed malicious apps from the Mac app store, and thousands from the iOS app store, despite registering the developers and reviewing the apps.
If Apple detected a piece of malware in the App Store and realized it had been downloaded thousands of times surely they can do something to help out those who have downloaded it? Like an update to the app to remove it possibly?
Personally I have to agree with your thoughts and I stopped torrenting years ago out of fear of a ransomware and only buy legitimate software. Younger me was not able to afford that and my security suffered as a result.
When Apple identifies malware they can update macOS to block or remove it. This doesn't require the Mac app store to fix, and piracy doesn't have to be the cause, for instance Mac Defender was distributed through its own websites. Ironically it was suggested this fake anti-malware software could be avoided by using the Mac app store, but malicious anti-malware software has also been spread by and removed from the Mac app store. It's the same for users either way, Apple addresses the problem.
True, but the quote was "signed by Apple" so the real question is how much malware is signed by Apple? I have no idea what the actual figure is, so I am mildly curious, but my hunch is not much (if any).
And if it slips past review and you report it, it will get pulled. And might be remotely deactivated on all installs if it's concerning enough (Zoom's server). And if the developer is malicious Apple has their payment methods and verified address / identification proofs on file and will inform law enforcement.
> And if the developer is malicious Apple has their payment methods and verified address / identification proofs on file and will inform law enforcement.
A malicious developer is unlikely to provide valid credentials.
A malicious developer might reveal details about themselves during the transaction process despite using bogus credentials. They might reuse those credentials for other things, or provide other revealing details in what they upload. So at the very least the adversary is revealing how they would obfuscate their identity, which can be connected to past or future criminal activity.
Maybe not, but there a card that was used to pay the fees, IP address logs for the uploads, whatever forged documents used for identity verification, the fake DUNS number if it was a company, bank account details if there were paid apps, etc. There’s also the hardware identifiers of any Apple hardware associated with that account, which would have been necessary for testing. There’s lots of things to subpoena.
>Just because an application is signed with a developer ID is little guarantee that it’s trustworthy.
Thats exactly what code signing is though. A little splish splash of encryption and you're sure that the Dev is part of the Apple Dev program. However trustworthy could mean many things from code thats not buggy to code thats simply not malicious. However code signing absolutely introduces a layer of trust.
Also there's a ton of real products that aren't in the app store for whatever reasons. Eg setting up a new developer machine, the whole homebrew scene is an absolute must. Then you get IntelliJ, Docker, Rustup, Go, etc etc.
Code signing is obviously going to be necessary at all steps, just not via Apple.
I learned today that not all Microsoft programs for the Macintosh are in the App Store. Outlook? Yep. Teams? Nope. I wonder why.
(I also note that Teams would only install for all users of the computer, not for the person currently logged in, which I thought was strange, but it's my company's computer, so I don't care that much.)
A lot of actual malware is signed with a legitimate developer ID. Not Microsoft or Adobe's cert, of course, but one that Apple handed out and has not (yet) revoked.
The signature can be revoked. Apple does ocsp to make sure that things are still valid. If the malware is bad enough for Apple to notice, then they'd revoke the signature. Sure, plenty of scummy stuff makes it under the radar, but if it were ransomware, hopefully Apple would respond quickly to that.
Just because an application is signed with a developer ID is little guarantee that it’s trustworthy
I think this is only true if you define "little" as "not a 100% gold-plated, certified FDIC-insured guarantee."
In most contexts, saying something is "little guarantee" means it's worthless. And, as frequently documented on HN and elsewhere, that's simply not true.
No, not really. There have been multiple instances of actual malware being distributed signed with a developer ID. This isn't theoretical; being signed is no assurance because these days it's hard to get such software to run at all on Macs if they weren't signed.
The landscape keeps changing, but in general phishing-style attacks are generally going to be a bigger problem than malfeasance by the actual company I'm dealing with. I also have at least some recourse in that case.
Apple has ways of punishing a publisher who is up to no good (and as we've seen, some publishers who aren't), so I can always run and tell mommy.
> Why is this a problem today and it wasn't one 10-20 years ago?
Our entire lives are now handled online, which makes cyber crime much more rewarding. Businesses rely much more on the internet. On top of that, cryptocurrency makes it way easier to monetize compromised systems, either via ransomware or via crypto miners. Malware has simply become much more lucrative to criminals.
Why is the panenka common now and it wasn't before 1970? Reality changed, man. People are evolving new attack techniques. You can't go back to that. The computer is not what you thought it was.
Don't these kinds of frankenstein mashups of different malware components of various quality occur pretty often, is there some reason the interviewees and reporter imply this is a mystery? Or are all the components previously unseen? If the latter, then would warrant speculation of how the competently implemented stack was burned by someone who didn't know how to set up the monetization properly.
> Don't these kinds of frankenstein mashups of different malware components of various quality occur pretty often
Yes.
> Or are all the components previously unseen?
Not really.
From TFA:
"My current gut feeling about all of this is that someone basically was designing a piece of Mac malware that would give them the ability to completely remotely control an infected system. And then they also added some ransomware capability as a way to make extra money."
That basically described how ransomware was born, god knows how long ago.
IMO the better question is why the hell attackers targeting macOS haven't been doing this until now (if we take their word for it).
> is there some reason the interviewees and reporter imply this is a mystery?
I suspect the reason is boring: they want to grab eyeballs.
>why the hell attackers targeting macOS haven't been doing this until now
AFAIK most companies which have business critical hardware that cant recover from ransomware attacks dont run macOS
Most probably run linux ;) I think that creators of ransomwares try to target the broader audience. The ROI is probably higher if you target Windows, as this it is probably running on 95% of the personal computers worldwide. Linux servers have probably more valuable data, but better security and backups. While I would be curious to know the percentage of Mac users who are installing softwares from another source than the app store. I will go even further, I am quite sure than a good percentage of Mac users never use any other software than an internet browser.
I think that you are also going to find that shops with any significant percentage of Macs that the shared services are run on Linux and not Windows. In a Windows-only shop you can basically get complete control once you pop the PDC, but in a blended/hybrid setup you are unlikely to be able to make quick lateral traversal to the servers that you would need to compromise to make the effort lucrative.
FWIW, I would bet that 25% or more of all enterprise Macs are also going to be running homebrew and a ton of standard unix software.
> I am quite sure than a good percentage of Mac users never use any other software than an internet browser.
Is that based on anything much, or is that just a bit of prejudice? Where I work its the PCs that are used as basic e-mail/word/browser machine - the Macs are used by people who are doing a bit more.
I'm not sure why a reply disappeared here, but I feel like reaffirming its late content:
>The strength of Apple products is to be perceived as a higher value thanks to design and marketing. People would buy a Gucci t-shirt for 300$, it's also particularly expensive for a t-shirt. At this point people don't buy the product for its intrinsic value, but for status and perceived value.
While the brand always commands a premium (Gucci, Apple, etc.) the comparison is unfair. Fashion is all about image, not functionality so a Gucci t-shirt is for all intents and purposes a regular t-shirt with a Gucci logo (or worse [0]). In tech most companies do struggle to bring something all of their own. Apple in particular does an above average job at this: dedicated OS, dedicated CPUs, dedicated various other chips (like the T, W, U chips). Saying it's only a logo is disingenuous.
I agree there are uncountable negatives as an Apple consumer, but I'm not sure they are any greater in number than the uncountable negatives of being a Windows consumer - and I kind of like Windows. Or for that matter if you're not a developer the uncountable negatives of Ubuntu.
Ubuntu desktop... I tried multiple times across multiple decades, I've given up.
Not sure what Windows issues exist outside licences disappearing upon reformatting. But that's still exponentially cheaper to fix then any Apple product.
>Not sure what Windows issues exist outside licences
well, perhaps not for you and I guess not really, in my experience, for me, but I have noticed that the population at large seems to suffer recurrent damage related to some ancient decisions made regarding Windows security.
Lol. I remember when the iMac Pro was released at $4999, and many said they could build their own for a fraction of the cost, and it turned out the parts alone were $4500. Without design, packaging, and warranty.
>>> IMO the better question is why the hell attackers targeting macOS haven't been doing this until now (if we take their word for it).
They've been doing it for a while. Mac has been since the platform with the most malware since the past year or two. It's outclassed Windows.
Adware is more widespread (changing browser homepage, injecting ads, paid popups), I think it makes more money on a regular basis than bricking laptops.
Another security issue for a company that Advertises it's security and privacy being useful for even the most uneducated user.
I know people talk about finance classes in schools, but I think we urgently need marketing classes. Companies have entire departments learning how to exploit your psychology and if you haven't seen the basics of marketing, you are ripe for pickings.
> For your Mac to become infected, you would need to torrent a compromised installer and then dismiss a series of warnings from Apple in order to run it
The people getting infected are the people that are knowingly bypassing all of the security measures Apple put in place to protect the uneducated users.
Those measures (and bypass methods) can be improved to more loudly tell the user of what could happen, and the risks associated though. Them being there doesn't mean they can't be improved. A ton of these malware types have come out long after these messages were (possibly arbitrarily) designed and written. I've heard of changes with Windows Defender in this respect (to more accurately reflect current threats like ransomware) but I haven't heard of Apple doing anything similar.
Doesn't this seems more like an advertisement for Apple's approach to security and loading apps?
If a user stays in the Mac App Store, or just doesn't bypass various warnings and macOS security mechanisms, they won't be susceptible to this malware.
Not that mac security mechanisms are perfect, but this is among the ones they protect you from.
I know people talk about finance classes in schools, but I think we urgently need marketing classes.
We had these in elementary school. Endless drills from the nuns about fact vs. opinion in things we read.
But that was back in the ignorant, backwards days when schools still taught geography, home economics, Latin, civics, theology, philosophy, and spelling.
/I can diagram a sentence in my mind as you speak it.
No surprise that ransomware makers are now shifting their focus to Mac OS devices.
From my observations, most people who buy Macs tend to have good finances, and are probably more likely to pay a ransom (and at a higher price) than most of the people who use Windows or Chromebook users.
"My current gut feeling about all of this is that someone basically was designing a piece of Mac malware that would give them the ability to completely remotely control an infected system. And then they also added some ransomware capability as a way to make extra money."
Honestly I kind of feel like the opposite is probably true. The ransomware is the primary money maker and the backdoor stuff is there just in case there is something interesting to extract if the main money play doesn't net you anything.
Just because an application is signed with a developer ID is little guarantee that it’s trustworthy. And stuff from the App Store won’t hold your Mac up for ransom, but fairly concerning software has slipped past review.