Gatekeeper is a security tool on macOS system designed to ensure that only trusted software to run on the Mac. However, this application authentication feature has a security vulnerability that can be used to spread a malware installation package called “OSX/Linker”.
When you install Mac apps, plugins, and installer software from outside the App Store, macOS checks the Developer ID signature and notary status to verify that the software is from an approved developer and has not been altered. With macOS Mojave, developers can also let Apple notarize their apps, which means the app has been uploaded to Apple and passed security checks before distribution.
The vulnerability was first discovered by security expert Filippo Cavallarin, which leverages two features of the Mac: automount and Gatekeeper. As reported by Tom’s Guide, Gatekeeper will collect files downloaded from the Internet into the Apple XProtect anti-virus filter for review, but for the secure channel of files from the local storage device (installed via automount), there is no detailed review. Cavallarin is able to trick Gatekeeper into thinking that the downloaded file is from a local disk, bypassing the normal filtering protocol.
Cavallarin said that he had feedback to Apple in February this year and released details on May 24, but this has not been fixed. The included OSX / Linker malware attempts to hijack the Mac, allowing the computer to engage in any malicious activity, including cryptocurrency mining and data theft.