Recent research from Jamf Threat Labs has unveiled a new variant of the MacSync Stealer malware, underscoring a troubling trend in macOS security. This variant was distributed through a malicious application that was both code-signed with a valid Developer ID and notarized by Apple, circumventing the company’s primary security measures. As a result, Gatekeeper allowed the application to launch without any warnings to users.
Apple’s security framework has historically relied on a trust model where applications distributed outside the Mac App Store must be cryptographically signed and notarized to function without excessive user intervention. This system assumes that a signed application indicates good intent from the developer. However, the emergence of this new malware variant illustrates a significant flaw in that assumption.
How Attackers Are Exploiting Security Protocols
Attackers are increasingly finding ways to obtain legitimate developer certificates, allowing them to distribute malware that mimics legitimate software. According to experts familiar with the threat landscape, many of these malicious applications are operating with compromised Developer ID certificates, which can be obtained or purchased through underground channels. This method significantly reduces the level of suspicion surrounding these applications.
The initial binary of the latest MacSync Stealer variant is often a simple Swift-based executable that appears harmless during Apple’s static code analysis. Its true malicious behavior does not manifest until the application contacts remote servers to download additional payloads. Since these payloads may not be present during the notarization process, Apple’s security scanners are unable to detect any malicious activity at that stage.
The first documented case of Apple-notarized malware dates back to at least 2020, when a user on Twitter flagged a similar issue. In July 2023, another instance of malware that had received notarization from Apple came to light, raising concerns about the effectiveness of the current security measures.
What Does This Mean for Users?
While the frequency of these incidents may still be relatively low, the implications for users are significant. Each instance of malware, regardless of its prevalence, highlights vulnerabilities in macOS’s security protocols. Although some may argue that the responsibility lies with Apple to enhance its security measures, it is essential to recognize that the notarization process is designed to verify developer identity rather than guarantee the ongoing safety of the software.
Experts suggest that users can best protect themselves by downloading applications directly from trusted developers or from the Mac App Store, where software goes through a more rigorous vetting process. As this type of attack becomes more sophisticated, maintaining vigilance and updating security practices will be crucial in safeguarding personal devices.
The situation with Apple-notarized malware is an evolving issue that warrants close attention. As Arin Waichulis of 9to5Mac highlights, the intricacies of this attack vector need continuous monitoring as we move into 2026. The balance between convenience and security remains a delicate one for users navigating the macOS ecosystem.
