How to avoid Mac malware by using Gatekeeper and common sense

Two new attacks on Mac users and a coming change in macOS Sierra show that educating users beats malware.

el capitan gatekeeper settings

The best weapon against Mac malware is your mind: recognizing the key aspects of illegitimate software, and configuring your Mac correctly, go a long way toward avoiding a takeover. We’ve seen two new examples of OS X malware in the last week—Backdoor.MAC.Eleanor and OSX/Keydnap, both of which are blocked from executing unless a Mac’s settings are too liberal. The ability to set a Mac to be vulnerable is about to change for the better in macOS Sierra, too.

And, as I’ve written about here before, the problem with malware typically isn’t you, a reader of a column that addresses security and privacy. Rather, it’s the behavior of all the people you know who aren’t techies, but computer users—sometimes very naive ones, no matter whether they’re 5, 35, or 95 years old.

Apple has a burden of education, as do software developers as a whole, because while malware isn’t a problem of their making, it’s something that affects their customers and may deter people from buying third-party software whether in or out of the Mac App Store. (I wrote a few months ago that developers needed to switch entirely to https delivery of websites and file downloads to reduce man-in-the-middle software hijacking, for example.)

But each of you reading this column can also help educate those who turn to you for Mac advice on how to configure their Mac, how to avoid executing malware, and how to be generally less credulous. Many people trust whatever a website or downloaded software says, and that’s a bigger risk than OS exploits.

The power is within you

Some malware, there’s nothing you can do to avoid. That’s largely software that leverages vulnerabilities in the operating system to install without verification or by masquerading itself as something it’s not. You have to rely on the quick discovery by researchers or the makers of an operating system.

Apple has in its back pocket XProtect, a listing of “signatures” that identify malware and block it from executing. XProtect is an unlabeled part of Gatekeeper, which restricts how apps and other components run in macOS. (Intego tracks these updates; Apple doesn’t release notes separately.)

But attack software like the two from this last week require people to overcome blocks put in their way in order to become infected.

Backdoor.MAC.Eleanor is a Trojan horse distributed under the name EasyDoc Converter. As my colleague Lucian Constantin noted, it’s “distributed as a file converter application through reputable websites that offer Mac software,” but actually does nothing. I’ve warned before about downloading software from any site but that of the developer, especially since many download sites now package software inside of installers that also install adware or other unwanted apps.

The vector of distribution for OSX/Keydnap is unknown, but it arrives in the form of a ZIP archive that has to be extracted, and then a file inside must be double-clicked to launch.

Neither app has been signed by a valid Apple developer certificate. Apple allows anyone to join the developer program, and apps can be signed by an active cryptographically secured certificate without getting Apple’s approval, although that approval is required to make items available for purchase in the Mac App Store (MAS).

Unsigned apps can only launch in one of two ways: the first is by right-clicking the app after it’s downloaded, selecting Open from the contextual menu, and then agreeing to launch the app even though it’s unsigned. This action only has to take place the first time it’s launched, and it’s retained from then on as a change in the app’s attributes. The second is if the Security & Privacy system preference pane’s General tab has Allow Apps Downloaded From set to Anywhere. In almost all cases, Mac App Store and Identified Developers is the correct setting.

gatekeeper dialog

This option worried developers and veteran Mac users when it first appeared, as it seemed to herald a day when the only option would be a third one, which only launches apps from the MAS. That one is valid if you’re administering a computer for someone else and want to prevent them from accidentally installing software outside the ecosystem for security or other reasons.

In macOS Sierra, the Gatekeeper option has been simplified: Anywhere was removed as a choice, and only Mac App Store or Mac App Store and Identified Developers remains. However, unsigned apps can still be launched with the right-click sequence described above. Requiring that in every instance reduces the odds of someone setting the preference by accident. El Capitan raised the stakes in a different way through System Integrity Protection, which makes it nearly impossible for software to modify the contents of many system files and folders, again reducing the chance for a small mistake to turn into a colossal blunder.

Some colleagues say in their particular disciplines or industries, many software developers making useful utilities (some are rarely updated, but they still work) don’t bother to or lack the interest in going through Apple’s signing system, and so they distribute their apps unsigned. While it’s always hard to complain about people generously distributing software, they’re contributing to the overall risk by training users to open unknown packages.

The takeaway lessons

Two pieces of Mac-focused malware in a week is a rare occurrence, and it may foretell nothing at all. While there are many criminal syndicates and independent developers creating software to infiltrate computers, mobile devices, and networks, the high bar that Apple has set keeps it from being low-hanging fruit for attackers.

But it’s also a sign of something that I and many others have warned about for years. The Mac isn’t immune; it’s just resistent. Its minority share of the computer marketplace, coupled with rapid upgrades by most owners to newer versions of the operating system, haven’t made it profitable enough. That may have changed, and it may become more routine to see malware of the kind that requires our involvement to install.

If you want some advice to give others, here are the salient takeaways:

  • Never download software from any site but that of the software developer who created it.
  • Keep OS X El Capitan and earlier releases’ Gatekeeper set to only launch Mac App Store downloads and those by identified app developers.
  • Never right-click an app that won’t open. If you do, don’t bypass the warning that it’s from an unknown developer.

Subscribe to the Best of Macworld Newsletter