A new macOS malware variant reportedly borrowed an encryption scheme from Apple’s security tools to evade antivirus detection for over two months. Researchers at cybersecurity firm Check Point revealed last week.
Mainstream media outlets were quick to pick up on the news. forbes Warnings of “real and present danger” and new york post It cited Check Point about how over 100 million Apple users could become “prey.”
However, one Apple security researcher argues that the situation may be more of an exaggeration than a threat.
“There’s nothing special about this particular sample,” said Patrick Wardle, CEO of endpoint security startup DoubleYou. decryption In an interview via Signal.
The malware appears to target “software-based cryptocurrency wallets” and is still a cause for concern, but Wardle claims it has received excessive media attention.
The malware, named Banshee, operated as a $3,000 “steal-as-a-service” operation by targeting cryptocurrency wallets and browser credentials. The effort came to an abrupt end last November when the developers shut down the malware’s source code after it was leaked to an underground forum.
What sets Banshee apart is that it cleverly mimics Apple’s XProtect antivirus string encryption algorithm, allowing it to operate undetected from late September until November 2024.
This tactic helped them get past security tools while targeting cryptocurrency users through malicious GitHub repositories and phishing sites. analyze Check Point explains.
While the evasion techniques display sophistication, Wardle explains that the core theft functionality is relatively basic.
Wardle said this characterization misses important technical context.
“XOR is the most basic type of obfuscation,” he explains, referring to the encryption method used by Apple and Banshee. “The fact that Banshee used the same approach as Apple is irrelevant.”
In particular, Wardle claims that the latest versions of macOS already block these types of threats by default. “By default, macOS will block most malware,” he says. “There is essentially no risk to the average Mac user.”
Wardle, who previously worked as a security researcher at the US National Security Agency (NSA), said: Recent changes macOS security affects how software running on your device is signed, or “notarized“(In Apple’s technical terms).
While more sophisticated threats such as zero-day exploits exist, Wardle suggests focusing on fundamental security practices rather than specific malware variants.
“There is always a trade-off between security and usability,” he said. “Apple follows that line.”
This case highlights how security threats can be misrepresented to the public. This is especially true when technical nuances are lost in translation.
“There is sophisticated malware out there (…),” Wardle said. “This is not one of them.”
Edited by Sebastian Sinclair
daily report newsletter
Start your day today with top news stories, original features, podcasts, videos and more.