New security features such as Gatekeeper and XProtect are simple to bypass and gaining persistence on a Mac isn't much of a challenge:
Gatekeeper is one of the key technologies that Apple uses to prevent malware from running on OS X machines. It gives users the ability to restrict which applications can run on their machines by choosiing to only allow apps from the Mac App Store. With that setting in play, only signed, legitimate apps should be able to run on the machine. But Patrick Wardle, director of research at Synack, said that getting around that restriction is trivial.
"Gatekeeper doesn't verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper," Wardle said in a talk at the RSA Conference [in San Francisco] Thursday. "It only verifies the app bundle."
Backing up Gatekeeper is XProtect, Apple's anti-malware system for OS X. Malware isn't a massive problem for OSX, but there definitely are some well-known families out there, with more being created all the time, Wardle said. Getting past XProtect turns out to be just as simple as bypassing Gatekeeper. Wardle found that by simply recompiling a known piece of OS X malware, which changes the hash, he could get the malware past XProtect and execute it on the machine. Even simpler, he could just change the name of the malware, which also lets it sneak in under the fence.
More coverage, including pretty graphics, on ZDNet.
(Score: 2) by Aichon on Saturday April 25 2015, @08:26PM
I believe it works the same way, but don't quote me on that.