OSX/Linker Malware Exploits macOS GateKeeper

Security researchers have discovered a piece of Mac malware called OSX/Linker that can exploit a zero day vulnerability in macOS GateKeeper.

OSX/Linker

On May 24, security researcher Filippo Cavallarin publicly disclosed a vulnerability in macOS GateKeeper. He had contacted Apple about it, and was told it would be fixed within 90 days, but the company missed the deadline and stopped correspondence. Mr. Cavallrin found that macOS treats apps loaded from a shared network resource are treated differently than apps downloaded via the internet.

By creating a symbolic link (or “symlink”—similar to an alias) to an app hosted on an attacker-controlled Network File System (NFS) server, and then creating a .zip archive containing that symlink and getting a victim to download it, the app would not be checked by Apple’s rudimentary XProtect bad-download blocker.

The simpler explanation: This trick makes it easier for malware to infect a Mac—even if Apple has a built-in signature that’s supposed to protect your Mac from that malware.

He posted a YouTube video demonstrating the GateKeeper bypass:


The team at Intego found the first known attempts to use this vulnerability. Four samples of malware were uploaded to VirusTotal. The first one came from an Israeli IP address, and the rest came from an IP in the United States.

Intego’s blog post has more detail, but right now there isn’t an easy solution unless Apple either patches the vulnerability or you can find antivirus that can detect OSX/Linker.

Further Reading:

[Spotify Anti-Trust Argument Questioned by Apple]

[iOS 13: How to Set Apple Books Reading Goals]

6 thoughts on “OSX/Linker Malware Exploits macOS GateKeeper

  • Probably you’re fine disabling automounting of /net by default via /etc/auto_master.
    That setting is somewhat of an anachronism, mainly useful if you regularly connect to NFS shares from the Finder.
    I wonder if the same issue affects other network shares such as smb, ftp, webdav, afp, etc..
    If I recall correctly there was a similar issue with disk image mounts, where gatekeeper would approve something but then you could maliciously change the image behind its back.

  • Filippo Cavallarin publicly disclosed a vulnerability in macOS GateKeeper… right now there isn’t an easy solution unless Apple either patches the vulnerability or you can find antivirus that can detect OSX/Linker.

    Then he should have acted like an adult and kept it quiet. It might not be, and probably isn’t, a simple fix.

      1. I would say that reasonable amount of time is more than 90 days does anyone really think that Apple doesn’t want to fix this situation as soon as possible.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.