Security features like Gatekeeper are among macOS's most important protection mechanisms. They are designed to prevent malware from running undetected and sensitive data from being leaked. However, a recent report shows that attackers have once again found ways to circumvent these safeguards. A new variant of the MacSync Stealer specifically exploits Apple's notarization process, thus achieving a new level of sophistication in attacks on macOS.
Gatekeeper has been considered an effective first line of defense against malware on macOS for years. In the past, attackers usually needed to trick users into taking action to circumvent this protection. This is precisely where the new attack method comes in. It reduces the necessary steps to a minimum and makes the infection process significantly less noticeable.
Gatekeeper and its previous role under macOS
Gatekeeper on macOS checks whether applications are signed and notarized by Apple. If this is not the case, execution is blocked or at least accompanied by clear warnings. Previous malware campaigns therefore attempted to trick users into deliberately bypassing these warnings. Typical methods included manually opening applications via the context menu or running scripts via the Terminal.
New findings from Jamf Threat Labs
Researchers at Jamf Threat Labs have reported on a new variant of the MacSync Stealer that takes a different approach. Instead of bypassing Gatekeeper, it abuses its trust. The malware is distributed via a code-signed and notarized Swift application. This means the app formally meets all the requirements to be launched on macOS without a warning message.
Camouflage as a legitimate application
The new variant is being distributed as an installer for a purported application called "zk-Call & Messenger." Users download this app via a web browser and can then open it normally with a double-click. Unlike previous versions, no right-click or explicit confirmation of opening is necessary, as it is a signed executable file.
An inspection of the installation file shows that it is correctly signed and notarized. It is also linked to a valid developer team ID. The file size of approximately 25.5 MB is noteworthy. The actual script is relatively small, but the application has been bloated with additional files such as PDFs. This makes it appear to be a legitimate installer simply due to its size.
The malware has a two-stage structure
The installation app does not directly contain the MacSync Stealer. After launching, it downloads a second payload from an external server. This server contains the actual malware, which is then installed on the target system. Technically, it is still an encrypted dropper. Many of the typical characteristics of MacSync Stealer are present.
The crucial difference lies in the first stage. By using a notarized and signed app, this stage can completely bypass Gatekeeper's protection mechanisms. The actual malware is only downloaded from the internet later.
Classification and previous developments
Jamf describes this case as an example of how malware authors are strategically refining their distribution methods to achieve as many infections as possible. According to the researchers, such a combination of a Swift-based, code-signed, and notarized application with a post-loaded payload has not been observed before.
The trend of embedding malware in seemingly legitimate executable files is not new. Back in 2020, it was revealed that malicious code had been able to bypass Apple's notarization process because harmful scripts within applications went undetected. What's new this time is that the notarized app itself doesn't contain any malicious code, but only retrieves it from the internet after passing all the necessary checks. This significantly complicates detection during the notarization process.
Reaction and current situation
Jamf reported the associated developer team ID to Apple. The affected certificate was subsequently revoked. However, at the time of publication of this report, the code directory hashes were not yet included in Apple's revocation list. This demonstrates that a window of time can still exist between discovery and complete revocation.
macOS security doesn't end with Gatekeeper
The MacSync Stealer case illustrates that despite Gatekeeper and notarization, macOS is not a completely closed system. Attackers deliberately exploit the trust built through signing and authentication. Therefore, meticulous digital hygiene remains crucial for Mac users. This includes carefully checking which software is installed and from which sources it originates, such as from well-known developer websites or directly from the Mac App Store. Gatekeeper is an important security mechanism in macOS, but it does not replace vigilance and critical behavior in everyday use. (Image: Shutterstock / Pungu x)
- Apple Intelligence must pass China's AI censorship test
- Ted Lasso Season 4: Producers announce possible release date
- Apple allows alternative app stores on iOS in Brazil
- iOS 26.3 receives praise from the EU for new features
- WhatsApp is testing a new quiz feature for channels
- Apple and China: Government-level meeting confirmed
- Apple under pressure: Italy imposes millions in fines
- Apple warns employees with visas against international travel
- Data retention: Government wants to store IP addresses
- Apple TV cancels "The Last Frontier" after one season
- Apple showcases new AI research on smartphone photography
- Apple indirectly forces iPhone users to update to iOS 26
- Samsung is entering the 2nm era earlier with Exynos 2600
- AirPods Pro 3: Background noise persists even after updates
- ChatGPT extends the chat history with an important new function
- Apple introduces UniGen 1.5: An AI model for all images
- A macOS bug has caused Studio Display to flicker for months
- Apple plans to increase advertising in App Store search starting in 2026
- ChatGPT now supports Apple Music directly within the app
- Apple opens App Store in Japan and changes iOS rules
- Apple TV expands Monarch universe with new spin-off
- Apple introduces SHARP: 3D scenes from just one photo
- Apple stock: Morgan Stanley raises price target to $315
- The Trump administration is threatening the EU with retaliation over DMA
