Checklist 82: Security threats targeting macOS and iOS

In every respect, 2018 has hit the ground running at a breakneck pace when it comes to new security threats targeting macOS and iOS — and it shows no signs up letting up yet.

We’re a third of the way into the year now, but it was only a few short months ago when we were looking back at the status of Apple’s security progress and pitfalls from 2017. Back then, we had so many items to cover from the past year that we ended up splitting it into two parts. (Hit the archives for episodes 71 and 72 if you missed them or would like a recap.) It might seem early to consider it now, but it already looks like our 2018 “year in review” could end up running even longer than that!

It’s not all bad news, though — we’ve got some new security tools on hand to help us push back against the malware onslaught. On today’s edition of The Checklist, we’re covering some of the most recent emergent threats for Apple users alongside some cutting-edge tools that can equip your Mac with a welcome defensive edge.

On today’s list:

1. Coldroot
2. Shlayer
3. Cryptocurrency mining app found in the Mac App Store
4. Meet LuLu, an open-source outbound firewall app
5. Mozilla locks Facebook in a box

We’ll kick things off with a look at a devious piece of malware that flew under the radar for a few months.

Coldroot

The story here starts back in the middle of February when well-known Apple security researcher Patrick Wardle was investigating some older malware attack methods (which Apple has already since fixed) while doing some research. One of these was an exploit used to gain system privileges without prompting the user to approve or deny access; often used by keyloggers on the Mac, this was actually an exploit used by legitimate software, too — Dropbox used this loophole to establish permissions for itself on the machine. It did this by surreptitiously modifying a special privacy database macOS uses.

Wardle decided to look to see what malware was out there that might contain references to this database to see how wide-ranging the attack’s application had been. He did this by plugging his search parameters into VirusTotal, a massive online collection of malware samples researchers use to compare and contrast malware while searching to identify new threats as well. It’s a resource of major importance and one utilized by all the major AV and antimalware vendors.

Most of the results Wardle turned were mostly keyloggers and other simple items of Mac malware already well known to researchers — but one file, in particular, stood out. Uploaded to VirusTotal back in January, it wasn’t being detected as malware by any vendor yet clearly stood out as suspicious. Named “com.apple.audio.driver.app,” the file was disguised and so named to look like it might have come from an official Apple download. That wasn’t the case, though; it was merely a ruse to fool users into believing it was a legitimate file. Exactly how it might end up on a user’s machine isn’t exactly known.

If an unsuspecting user tried to launch the application, they would be presented with a system prompt to authenticate with their Mac’s username and password. After doing so, it would seem like nothing happened at all — the system gives no reaction to your authentication and no further dialog boxes pop up. However, behind the scenes, all kinds of shady things were going on, and now they could occur with the user’s permission.

The first step for the malware: to install a launch daemon, a small computer program that hooks into the system and guarantees that the malware can relaunch itself even after a reboot. Once that foothold was established, Coldroot would phone home to a command and control server to find out if any further instructions were waiting for it from its master.  This would then allow the controller to execute several specific commands built into Coldroot, or it could follow some predetermined instructions.

The primary focus: logging all your keystrokes and saving them to a hidden file. The rest of its capabilities read like a laundry list of a malware author’s most trusted standbys: discovering your files and directories, renaming them at will, or outright deleting them to cause problems. It could also execute or kill processes at will; send files home to the C&C server or download additional payloads to execute, and more. Coldroot could find out the name of your current window — handy for determining if you’re on a bank’s website or if you’re going shopping on the Web.

The controller could remotely monitor your desktop, too, taking a series of rapid-fire screen captures and sending them in real time back to the C&C server — giving the malware a window into your activities at any moment. Coldroot could even shut down your Mac if it felt like it! If you’re on the latest version of macOS, though, there’s no need to worry about this devious tool that slipped past the antivirus engines. Apple’s additional protections for the security database now mean that this malware won’t successfully execute at all, but it isn’t the only new threat we’ve seen come up in recent months.

Shlayer

It must have been a busy winter for malware authors — maybe all the snow kept them focused on pet projects! Right after Patrick Wardle uncovered Coldroot, security researchers from the firm Intego discovered another new item of malware in early February. Named Shlayer, the researchers initially found it spreading through malicious pop up ads on file sharing websites, and it uses a classic malware tactic for when the bad guys target the Mac.

It was disguised as an important update to Adobe Flash Player, something longtime listeners of The Checklist will note sounds familiar from many of our past stories—a common tactic because it’s a common piece of software and is very easy to trick the average user into clicking on and running the fake update.

At first glance, it’s easy to think this type of threat could never bother you if you aren’t pirating software or using file sharing websites to hunt down copyrighted material. While Shlayer was being distributed through malvertising on these shadier sites, that’s no guarantee it didn’t appear elsewhere as well. As we know from past malvertising campaigns, there are plenty of places where bad actors can work to slip their malware in through an ad.

Once run, Shlayer uses something called shell scripts. These are part of an automated method for executing command line instructions but without the need to open the Terminal app. In other words, it all takes place in the background and out of sight. Once Shlayer begins running these scripts, it fetches downloads of several other known malware threats and bundles in some good old-fashioned adware as well.

During their research, Intego uncovered three distinct variants of Shlayer, designed to keep the malware operating in the wild for longer by linking to three separate Apple Developer IDs. Recall from some of our previous episodes that DevIDs are used by Apple to sign code, verify its authenticity, and provide for more ability to run on a macOS machine unchallenged.

Malware authors often pay for legitimate DevIDs with false credentials to distribute malware or use stolen IDs to bypass restrictions. Not only were the authors relying on spreading their risk of detection between three IDs, but they were also using at least seven different web domains to communicate with the malware. Though Shlayer should not be a major threat to most users, it’s just another trend we’re seeing towards basic malware threats growing in number and sophistication on macOS.

So, with threats still on the rise, how can we protect ourselves and avoid Flash Player fakes such as Shlayer? The most straightforward solution may seem like a scorched earth tactic, but it’s not so serious an issue these days: just don’t use Flash Player at all unless there is a bona fide reason to keep it installed. Most of the web has moved away from using Flash, and more sites transition away from it every year. In fact, Adobe itself has said that they expect to complete Flash’s end-of-life transition by the tail end of 2020, after which point it will receive no more updates—and updates have been the life support keeping Flash clinging on to the Internet for years already!

Adobe’s official platform has always been the butt of jokes, comparing it to Swiss cheese, and its bug-riddled design has been the open door for hundreds of severe malware infections. In some cases, just having it installed at all was like giving the bad guys a foothold. If you must have it, always ensure you only download and install the official player and its updates directly from Adobe.com. Never, ever, trust pop-up ads insisting you need to update Flash, especially if it appears on a site where you weren’t viewing Flash media anyway.

Using a browser with a built-in extension for Flash Player is also an acceptable move, as the developers of the browser will ensure it is always up to date. Google Chrome is one such browser, but beware: Chrome, Firefox, and most other major browsers are also moving towards phasing out Flash support. Chrome disables Flash by default and prompts the user to run it every time it is encountered, offering a good middle ground.

Cryptocurrency mining app in the Mac App Store

Next up: we’re back on the topic of cryptocurrency again. It was only a few weeks ago, back in Episode 79, that we spent our time discussing how cryptocurrency miners running in our web browsers were a growing problem. In that episode, we briefly talked about the fact that we had yet to see any miners cropping up in the App Store. We weren’t sure, though, whether that was due to Apple’s vigilance stopping the bad guys from getting in, or whether it was merely due to a lack of trying. As of this week, though, we’ve gotten our answer, and , unfortunately, it isn’t the one we would have liked. From the facts available, it looks like Apple wasn’t watching out for miners as closely as you might expect.

The story broke on Ars Technica in early March, when contributor Dan Goodin happened to notice an app, named Calendar 2, was mining cryptocurrency using users’ CPU cycles in exchange for access to premium in-app features that would otherwise have cost money. The interesting thing here is that the developers were completely upfront about the miner’s presence in the app. While Calendar 2 promised to “unobtrusively” mine cryptocurrency, the reality was different.

Even though the app disclosed the miner’s inclusion, there are a few problems to consider here. First and foremost, the App Store terms of service almost certainly prohibit this type of activity in one form or another. All developers must adhere to these terms, and Calendar 2’s team was no exception; you aren’t allowed to break the rules even if you ask users to agree to breaking the rules. Next, this wasn’t an “opt-in” feature. Instead, the developers handed out the “premium” features and enabled crypto mining by default. Users who didn’t want to mine would have to proactively alter the setting, in turn losing access to the features that came initially with the app. This, too, is likely a TOS violation.

Is it any surprise the miner itself was poorly implemented too? For all the promises to be “unobtrusive,” the miner was configured to run continuously, even after a user disabled the setting and opted out. Worse still, the miner ran at maximum capacity, tasking some user’s CPUs to 100% and completely slowing down or locking up devices. The developers likely didn’t intend this behavior, but nonetheless, it made it into the official download.

Ars Technica’s Dan Goodin then contacted Apple for clarity on whether Calendar 2 was violating the TOS. More than a day passed with no comment from Apple and no action taken against the app, and the story went to press. With the news out in the wild, users began to bombard the Calendar 2 app store page with negative 1-star reviews lambasting the shady business practices at play. Soon after, Apple moved to compel the developer to take Calendar 2 down from the Mac App Store.

In their takedown notice, Apple confirmed the developers had violated the Terms of Service, specifically section 2.4.2. That section reads: “Design your app to use power efficiently. Apps should not rapidly drain the battery, generate excessive heat, or put unnecessary strain on device resources.” So, while there is no clear language yet to indicate that mining specifically is an abuse of the TOS, Apple reasons that miners overly tax their devices, and so are not allowed on the store.

The developers of Calendar 2 stripped the miner out of the app and re-uploaded it to the App Store, but they cannot undo the damage from the review barrage, which has left their rating at a weak 1.5 stars. On the other hand, they did generate roughly $2,000 in Monero cryptocurrency before the app was pulled. Do you think it was worth it? With the bad press now linked to their name—certainly not!

LuLu: an open-source outbound firewall app

That covers some of the latest threats and problems we’ve seen since the start of the year, so let’s transition now to discussing some of the ways we can make our Macs safer and improve our online peace of mind. We’ve had a few discussions about firewalls on The Checklist in the past, but for those who’ve missed them, let’s dive into a quick refresher on what firewalls are, what they do, and why they are so important.

Put most simply; a firewall is a type of software (or a special hardware device) that continuously monitors all the network traffic to and from your computer, sort of like a border guard with a customs inspection. Firewalls block all the traffic that it classifies as suspicious or malicious, based on a pre-determined set of rules or through “intelligent” algorithmic means. Firewalls can also use rules to allow specific connections. There are two primary types of firewalls to know: inbound and outbound. While some firewalls can handle both at once, we’ll treat them separately.

An inbound firewall focuses on connections heading in to your machine from outside sources, like a web server sending a request or another computer on your network trying to send data. On the flip side, outbound firewalls check on traffic that originates on your own machine and stops it if it detects it heading to a place it shouldn’t go. Based on its specific rules, an outbound firewall could, for example, block repetitive connection attempts from malware trying to phone home to a command and control server or to direct traffic to a malicious website.

Every Mac already has an inbound firewall built into macOS, giving you protection from unwanted probes of open ports on your Mac and malicious attempts to connect and send information. That means you’ve got good protection from hackers trying to break in — but what if malware’s already lurking on your machine? That’s where an outbound firewall is most useful, not only because it stops the problem, but because it will alert you to the issue as well. These programs can also let you see what apps are making connections, to where, and how often. That’s often helpful for diagnosing problems and spotting suspicious behavior. However, configuring outbound firewalls can be tricky.

Most of the connections your apps make are harmless and even natural parts of their operation, so outright blocking everything will cause lots of functionality problems. The difficulty in preventing issues is probably why macOS doesn’t come with a built-in outbound firewall. Using the right software makes a big difference, and in the past, we’ve primarily suggested Mac users check out a third-party app called Little Snitch. Today, though, we’re going to talk about the “new kid on the block,” an open-source outbound firewall called LuLu.

Developed by Patrick Wardle, the same researcher we mentioned at the top of today’s show, LuLu has been around for some time now in “alpha” form, so we haven’t brought it up before. Software in the “alpha” stage is at an early point in its development, and usually, only power users and enthusiasts who value “bleeding edge” innovations should try them out. That’s because these early releases often still have their fair share of bugs and aren’t fully polished with all the bells and whistles.

However, LuLu is well on its way to reaching the “beta” stage, the time when final testing and features enter the product. With its most recent updates, LuLu has been much improved behind the scenes and is now much more user-friendly. There is an official installer package with a slick user interface, where previous versions were largely operated through the Terminal. As an open-source project, anyone familiar with coding can view, examine, and suggest improvements to the code. We support such an innovative community endeavor and encourage you to give LuLu a closer look — and keep an eye on it as its development proceeds, too!

Mozilla locks Facebook in a box

If you’ve looked at the news at all lately, it’s tough to ignore Facebook’s presence in the headlines. We just did an entire episode focused on some of the shady behavior the social networking giant has been engaged in, and you can check out all the details for that back in Episode 81. With Congress calling for Zuckerberg’s testimony, advertisers fleeing Facebook, and its market cap taking a hit to the tune of tens of billions of dollars, it’s clear a lot of people are upset with the company — and that includes Mozilla, the developer behind Firefox. They’ve been spurred on to act in a way we think is pretty exciting.

On March 27th, Mozilla made the announcement that they had completed a new extension for Firefox called the Facebook Container. The purpose: to specifically restrict Facebook’s ability to track you and your activity across the web. It does this by simply operating Facebook in its own virtual “container,” similar to the app sandboxing we’ve discussed on previous shows. With this container in place, FB will have a much more difficult time using tracking cookies to accumulate info on your browsing habits.

Installing the extension (which users must opt-in to use) will result in the deletion of all existing Facebook-linked cookies in Firefox, which will also result in logging you out to get a fresh start. When you go back to Facebook, it will launch in its own special “container” tab. You can then log in as normal and use it as you would with any other tab. If you click on external links on Facebook, though, they launch into a new regular tab which operates outside the container. This keeps your visit isolated from Facebook.

If you’re in a regular tab and you click on a “Share” button to post something on your Facebook account, those too go into the special Facebook container. However, be aware that because of the connection with Facebook’s API, your data from that specific interaction will still end up going to their servers, rather than being cut off. So, are there any downsides?

Yes. There are a few things to consider before you rush off to install the extension. If you use your Facebook account to log in to third-party websites or apps to streamline the process, the container could break these connections and render you unable to log in properly. Likewise, embedded comments and “Like” buttons will not work correctly outside of the container tab, but this is a design feature to prevent Facebook from associating your account with visits to other sites.

Perhaps the best part, though, is Mozilla’s own efforts at accountability. In their commitment to user privacy, they’ve promised not to collect any data that originates from within the Facebook Container extension outside of basic usage stats, such as the number of total installations or removals over the entire installation base of Firefox. This overall effort is commendable, and those of us on The Checklist think Mozilla deserves a big “thumbs up” for taking these steps to protect users.

With that, another discussion draws to a close. 2018’s rapid pace for security news shows no signs of slowing down, and you can bet we’ll have plenty more to discuss on these subjects in the coming weeks. What will happen with Facebook’s reputation and how will they respond to the latest privacy crisis? What other new Mac malware is still out there that we don’t yet know about — and what other tools might we be able to start using this year? We’ll monitor the news and bring you another detailed discussion when we return for another episode next week.

We love to hear from our listeners, whether you have questions about a specific threat or topic we’ve discussed or a particular story you’d like to have us dissect on the show. Send an email to Checklist@SecureMac.com with your questions, ideas, and feedback to get in touch.