Why have there been so many XProtect updates?

Since the start of the New Year, in the last six weeks, Apple has released five updates to XProtect, specifically its malware detection signatures used during Gatekeeper checks. A quick glance back at comparable periods during 2023 and before confirms that this is the most frequent since my records began in 2019. This article considers why this might be and what it might tell us.

XProtect and Yara

This XProtect, unlike the XProtect Remediator scanning service, provides Gatekeeper with a set of ‘Yara’ definitions used when checking executable code prior to it being run. These commonly include a ‘signature’ considered to be characteristic of that malicious software. There’s an art in developing Yara rules to ensure that they’re specific to the malware you’re trying to detect, but don’t result in false positives. Although this form of static detection can be evaded by those who write malware, it remains the most common technique used.

Originally, definitions in XProtect’s Yara file were named according to the recognised name for malware. In 2018, Apple decided to start obfuscating them using meaningless codenames. Lately it has started to reverse that, and although some of the names it uses are peculiar to Apple, security researchers like Phil Stokes @philofishal of SentinelOne Labs can convert most of them to names used outside Apple.

2024 updates

In the six weeks ending 9 February, Apple has released five updates to XProtect, each of which has had changes in the definitions in its Yara file. These are:

XProtect 2178, 8 January, 4 new rules;
XProtect 2179, 16 January, one new rule;
XProtect 2181, 22 January, 2 new rules;
XProtect 2183, 30 January, one rule replaced with a new one;
XProtect 2184, 5 February, 3 new rules.

That makes a total of eleven new rules over this brief period.

Malware

Apple’s code names can be translated with the aid of Phil Stokes’ invaluable dictionary, to reveal the malware that Apple has been grappling with in its XProtect Yara definitions.

Adload is an old adware and bundleware loader dating back to 2016 that has a track record of rapid change, enabling it to evade static detection. It normally achieves persistence through a bogus service installed in ~/Library/LaunchAgents/, and Phil Stokes gives fuller details here.

Genieo, also known as MaxOfferDeal, is another old hand that changes frequently to escape detection. This is so well-known that it qualifies for its own page in Wikipedia.

Pirrit has also been known in many different variants and forms since it first appeared in 2016. For a long time it posed as a Flash Player installer, although it has moved on since then. It has been overviewed recently by Paloalto Networks. RealStar (Apple’s code name) may be a recent Pirrit variant.

SheepSwap hasn’t been identified yet, although it’s also the name of a crypto token, which may give a clue as to its means of distribution.

Soma in Apple’s terminology is known more widely as Amos Atomic Stealer, an accomplished thief of passwords, crypto wallets, cookies and more. This has been known to arrive in the form of a fake installer for commercial software from Adobe, Microsoft and others. It changes rapidly to avoid detection, and further details are given by Phil Stokes.

Two latest additions are known quaintly by Apple as Crapyrator and FriskyHorse.

Crapyrator has been identified as BkDr.Activator, found in many torrents of cracked apps such as MarsEdit, DaisyDisk, SpamSieve. It uses sophisticated methods, characteristically installing Activator.app in the main Applications folder, prompts for a password and uses that to disable Gatekeeper checks, then kills Notification Centre to cover its tracks. Further details are given here.

FriskyHorse has been identified as malware from the Lazarus group, who are linked with North Korea, that’s normally associated with the cryptocurrency trade. This typically achieves persistence through ~/Library/LaunchAgents/com.wifianalyticsagent.plist, and further details are given here.

What’s going on?

For XProtect, thus Gatekeeper, to detect any of this malware, it has to move with the times. Apple’s security engineers appear to be in the midst of a campaign against a combination of agile, sophisticated and recent attacks. Adload, Genieo and Pirrit have long histories of evading static detection, and this is perhaps the first time that they have been put under such pressure. Apple must be playing the long game, in the hope that the three won’t be able to sustain the pace.

Atomic Stealer, BkDr.Activator and FriskyHorse are relatively new, and their sophistication is concerning. Atomic Stealer is on sale as a commercial service, and is being used for simple profit. If that can be disrupted, then its developers may be forced to look elsewhere for their income.

Reducing risk

Never use torrents, particularly to download ‘cracked’ or unofficial software.
Only download apps from their original sources, and check the URLs used carefully.
If in any doubt as to the security and authenticity of a download, trash it immediately, and don’t open it.
Avoid anything related to cryptocurrency, as it’s high risk in every respect.
Ensure your Mac is kept up to date with XProtect and XProtect Remediator.
Never disable Gatekeeper/XProtect.
Run the latest version of macOS compatible with your Mac, and keep up with its security updates.
If you really have to break any of these, only do so in a sandboxed and isolated macOS virtual machine, such as one running in ViableS.