Patrick Wardle, director of research at security firm Synack, told arsTechnica that once Gatekeeper okays an approved app, it pays no more attention to what that app does. The approved app can then open malicious apps – which Gatekeeper doesn’t check.
Wardle has found a widely available binary that’s already signed by Apple. Once executed, the file runs a separate app located in the same folder as the first one […] His exploit works by renaming Binary A but otherwise making no other changes to it. [He then] swaps out the legitimate Binary B with a malicious one and bundles it in the same disk image under the same file name. Binary B needs no digital certificate to run, so it can install anything the attacker wants …
In other words, all someone needs to do is identify the same app Wardle found (or others with the same capability), rename it and then bundle it with a renamed malicious app. A similar method also works with plugins: find an app that loads plugins, substitute your malware for one of those plugins and again Gatekeeper pays no attention.
Wardle is not revealing the name of the app, but suspects that there are others out there.
“If I can find it, you have to assume groups of hackers or more sophisticated nation states have found similar weaknesses,” he said. “I’m sure there are other Apple-signed apps out there” that can also be abused to bypass Gatekeeper.
Wardle says that he reported the vulnerability to Apple more than 60 days ago, and Apple confirmed to arsTechnica that it is working on a patch.
Apple made unspecified changes to Gatekeeper a year ago, requiring developers to re-sign and re-upload apps.