Newsmaker Interview: Patrick Wardle Talks Apple Malware Flubs and Successes

Researcher brings Apple down to earth, addressing Mac malware questions and the company’s smart moves to bolster security.

Patrick Wardle is the chief research officer at Digita Security and founder of Mac security company Objective-See. For years, the self-described “surfer from Hawaii” has been one of the most prolific and respected Mac malware-hunters, uncovering vulnerabilities affecting the macOS platform as well as researching malware samples targeting Mac machines. He is also known for his open-source security tools to protect Mac users.

Threatpost sat down with Wardle to talk about his recent research on macOS headaches, such as QuickLook, I Am Root and Fruitfly. He also discusses the evolution of malware that increasingly targets the Apple universe.

TP: What are the new trends in macOS malware?

Wardle: Though Mac malware isn’t overly prolific, we are seeing some interesting trends affecting Apple’s self-described Garden of Eden. Besides ever-more-invasive (and annoying) adware targeting macOS, there is a definitely an increase in cryptomining malware.

What accounts for the uptick in these types of malware on the macOS platform? 

Wardle: Hackers and cybercriminals are largely driven by financial gain. Due to its prevalence, Windows has long been the main target of such malicious adversaries and their malicious creations. However, as Macs become ever more pervasive, so has Mac malware.

In many cases, we now see hackers porting their existing Windows malware to target the Mac platform. Or, recompiling their code to utilize cross-platform frameworks. Added to this, a lot of adware is browser-based, which is inherently rather cross-platform.

Sticking with the trend of financial motivations, there is also a clear rise in macOS cryptominers — or malware that installs itself persistently with the (single) goal of using one’s computer to mine cryptocurrencies.

TP: We are hearing more about nation-state attackers targeting Apple devices with things such as Dark Caracal malware and GrayKey iPhone unlocker tools. Same question, why the recent interest in the macOS? 

Wardle: I think that’s honestly something that we just don’t have good insight into.

The problem — and this is kind of a general critique of Apple — something like the iPhone is very locked down, which is good for the average user. But at the same time, when you have such a black box it’s something that you can’t easily analyze — for example, running a debugger or process monitor to uncover any potential infections.

This is (somewhat ironically) advantageous for an advanced attacker that is able to exploit an iPhone. Think about it this way: If somebody hacked your iPhone, how would you ever know? So, at any given time, we really don’t have a good picture of what the “state of the art” is in terms of what nation-state attackers are up to.

To answer your question about why the recent interest, I personally believe that APTs have been targeting macOS since its inception — or at least since their targets have been using Apple devices. That is to say, APTs are device-agnostic.

APTs will go after their target’s devices, whether it’s Apple or Windows, or anything in between.

TP: How has Apple responded to these trends? 

Wardle: I pick on Apple a lot — sorry! But at the same time, I have to give them a lot of kudos because they hire a lot of really smart people. I think their security team is full of brilliant researchers. They are also proactively building in a lot of new security features into each version of the OS.

I recently gave a talk about abusing synthetic events on macOS, like mouse and keyboard clicks. Hackers can design malware to use the synthetic events to generically bypass many of Apple’s built-in malware mitigations. Apple’s latest OS, macOS Mojave, basically shuts down this attack vector by blocking synthetic events.

So, Apple is clearly paying a lot of attention to what external security researchers are talking about at conferences, as well as what malware is exploiting [the platform], and then taking steps to mitigate this. Couple this with the in-house security mechanisms that are now being built into macOS, and the security of the OS is trending in the right direction.

TP: So where do things break down with Macs? How do we get these obvious bugs such as I Am Root and High Sierra’s “show hint” bug, and more recently, QuickLook?

Wardle: As noted, Apple’s security is trending in the right direction, but they are definitely struggling in some areas. Their new security features are very powerful, but many have significant weaknesses or even an Achilles’ heel.

For example, Apple has rolled out something called  “user-approved kernel extension loading.” The idea was to prevent malware from programmatically installing signed kernel extensions [to prevent an exploit from performing unsigned code execution in the context of the kernel].

Apple’s Achilles heel in this instance was they didn’t protect a security prompt (i.e., the popup that asked the user to click “Allow.”). I found a simple way to generate a synthetic event that clicks the Allow button – which completely undermined this security feature.

So, while their new security feature in theory was very powerful, in reality it had a huge weakness which made it essentially useless. Unfortunately we see Apple do this time and time again….stay tuned.

TP: How does Apple miss these bugs? 

Wardle: I think internally there may be some political issues at play that I can’t really speak to. But from a pure security point of view, it’s just mind-blowing that Apple has not done more to try to encourage external help – [such as] perhaps opening a Mac bug-bounty program.

Operating systems are incredibly complex pieces of software. Attackers or offensive cybersecurity researchers have the easy job. We just have to find one small flaw. Apple, on the other hand, basically needs 100 percent security 100 percent of the time.

To Apple, usability and deadlines often trump security — no, really! So, products or patches may be shipped that haven’t been audited or tested as well as they should be, allowing rather obvious bugs to slip through. More proactively engaging the external research community to help analyze this code or products, IMHO, would clearly benefit Apple.

TP: Is it Apple hubris that gets in Apple’s own way when it comes to these types of vulnerabilities, or with security in general?

Wardle: Ha, this is a rather loaded question! Here’s a story that may shed some insight into this:

Recently I gave a talk about a nasty piece of Mac malware named Fruitfly. This malware had managed to stay under the radar for over a decade, predominately targeting Macs. It was capable of remotely taking complete control of a targeted computer, including the webcam, screen, keyboard and mouse.

The FBI got involved and eventually captured a guy who allegedly created that malware for really perverse purposes  – such as spying on children through their Macs.

After my talk, I heard Apple wasn’t too happy. My immediate concern was that somehow I had said too much, perhaps about the victims or something else that had jeopardized the ongoing FBI investigation.

It turns out that no, that was not the case at all. Instead, Apple was concerned about the talk simply because of its message and the media coverage of this malware. Apparently, they saw it tarnishing their (perceived) pristine image. As Apple saw the threat as being wholly contained, they saw no reason for this story about the malware to “be news.”

Of course, I completely disagreed. The fact that children were being spied on via their Mac computers — for over a decade — is something that parents should be aware of. If we don’t discuss such threats, with the aim of educating the general public, users may remain oblivious.

Sorry Apple, but here, ignorance is not bliss!

This being said, I do really appreciate their recent approaches to security, such as hiring a ton of top security talent and proactively mitigating issues. But, as with anything, there is still a lot of room for improvement.

And of course, let’s never forget that first and foremost Apple is a corporation which by definition means their ultimate goal is profits; which is why – I’m confident – they spend more money on marketing than security.

TP: Here is the disconnect. Apple invest heavily in security research, but we still see glaring holes such as QuickLook and I Am Root that have lingered, unpatched, for years.

Wardle: I think it just comes down to resources and a balance between usability and security.

Unfortunately, contrary to what sometimes Apple claims, I think it’s more important for them that the user experience is enjoyable, versus the device being fully secure. When the two are in conflict, usability too often trumps security.

They know Mac users care about security. But they also know that 99 percent of users just want their Macs to work. I think they’ve done the math, and when they stumble on a potential security issue like QuickLook, they may have other usability or security priorities.

The risk calculations is probably, “Okay, until we get some really bad press, lets fix these other issues or bugs first.”

To be fair too, any operating system is going to have bugs. So, we can’t give Apple too much grief! Now if they screw up a patch — that’s rather inexcusable!

TP: What can change that attitude? 

Wardle: I can see a lot of value in a Mac bug-bounty program (not just one for iOS). It would just encourage more people to poke on the platform and find these rather “shallow” vulnerabilities.

All operating systems are incredibly complex. Whether you’re Apple or Microsoft, we can’t expect anyone to find everything.

Microsoft realized this back in the late 90s and early 2000s, where they basically went out and hired hackers, hacker groups and security researchers that were consistently hacking into Windows. They also launched a bug-bounty program.

Microsoft realized, relatively early on, that any operating system is going to have bugs. So anything a company can do to encourage people to find bugs and report bugs is going to be the thing that benefits the end user the most.

Suggested articles