New Mac Exploit Easily Bypasses Gatekeeper Security, Could Allow Installation of Malicious Apps

by

Apple introduced Gatekeeper in 2012, creating it as a method of protection for users against malicious threats by adding various layers of security during installation of Mac apps. The feature is intended to ensure that apps users try to install on their Macs are legitimate and signed by a registered developer, minimizing the threat of malware. But now, a security researcher has discovered a simple method of bypassing Gatekeeper using a binary file already trusted by Apple to attack a user's computer (via Ars Technica).

macbook_pro_15_imac_27
Gatekeeper is meant solely to check the initial digital certificate when an app is downloaded on a Mac, ensuring that the program has been signed by an Apple-approved developer or at least comes from the Mac App Store itself before allowing the installation to proceed.

"If the application is valid—so it was signed by a developer ID or was (downloaded) from the Mac App Store—Gatekeeper basically says 'OK, I'm going to let this run,' and then Gatekeeper essentially exits," Patrick Wardle, director of research of security firm Synack, told Ars. "It doesn't monitor what that application is doing. If that application turns around and either loads or executes other content from the same directory... Gatekeeper does not examine those files."

Even if Gatekeeper is enhanced to its highest level of security settings, the new exploit can take advantage of a computer. Once the trusted file makes its way past the security program, it can then execute a handful of other malicious programs attached with the rest of the installation and gains the ability to install malicious software such as password-stealing programs, apps that can capture audio and video from a Mac's camera, and botnet software.

The researcher who discovered the exploit sent news of it to Apple about 60 days ago and "believes they are working on a way to fix the underlying cause or at least lessen the damage it can do to end users." Since then, an Apple spokesperson has confirmed the company is working on a patch for the issue and has asked that the identities of the specific files used in the exploit not be disclosed. Wardle plans to showcase his research on the Gatekeeper exploit at the Virus Bulletin Conference on Thursday in Prague.

Tag: Gatekeeper

Popular Stories

m5 macbook pro deal

Why You Shouldn't Buy the Next MacBook Pro

Tuesday February 10, 2026 4:27 pm PST by
Apple is planning to launch new MacBook Pro models as soon as early March, but if you can, this is one generation you should skip because there's something much better in the works. We're waiting on 14-inch and 16-inch MacBook Pro models with M5 Pro and M5 Max chips, with few changes other than the processor upgrade. There won't be any tweaks to the design or the display, but later this...
Read Full Article243 comments
iOS 26

Apple Releases iOS 26.3 and iPadOS 26.3

Wednesday February 11, 2026 10:07 am PST by
Apple today released iOS 26.3 and iPadOS 26.3, the latest updates to the iOS 26 and iPadOS 26 operating systems that came out in September. The new software comes almost two months after Apple released iOS 26.2 and iPadOS 26.2. The new software can be downloaded on eligible iPhones and iPads over-the-air by going to Settings > General > Software Update. According to Apple's release notes, ...
Read Full Article90 comments
Apple Logo Zoomed

Apple Expected to Launch These 10+ Products Over the Coming Months

Tuesday February 10, 2026 6:33 am PST by
It has been a slow start to 2026 for Apple product launches, with only a new AirTag and a special Apple Watch band released so far. We are still waiting for MacBook Pro models with M5 Pro and M5 Max chips, the iPhone 17e, a lower-cost MacBook with an iPhone chip, long-rumored updates to the Apple TV and HomePod mini, and much more. Apple is expected to release/update the following products...
Read Full Article40 comments
iPhone 16e Bottom Crop

Apple Reportedly Unveiling a New iPhone Next Week

Tuesday February 10, 2026 1:51 pm PST by
Apple plans to announce the iPhone 17e on Thursday, February 19, according to Macwelt, the German equivalent of Macworld. The report said the iPhone 17e will be announced in a press release on the Apple Newsroom website, so do not expect an event for this device specifically. The iPhone 17e will be a spec-bumped successor to the iPhone 16e. Rumors claim the device will have four key...
Read Full Article
Apple Logo Black

Apple Acquires New Database App

Wednesday February 11, 2026 6:44 am PST by
Apple acquired Canadian graph database company Kuzu last year, it has emerged. The acquisition, spotted by AppleInsider, was completed in October 2025 for an undisclosed sum. The company's website was subsequently taken down and its Github repository was archived, as is commonplace for Apple acquisitions. Kuzu was "an embedded graph database built for query speed, scalability, and easy of ...
Read Full Article33 comments

Top Rated Comments

Codyak Avatar
Codyak
135 months ago
-Gategate
Score: 20 Votes (Like | Disagree)
cariacou Avatar
cariacou
135 months ago
Your Mac has either a 14nm Samsung CPU or a 16nm TSMC CPU.

To check which one you have, please click on this link...
Score: 13 Votes (Like | Disagree)
D
DavidTheExpert
135 months ago
There's a very simple way to avoid malware on any computer: Don't install anything you don't trust.
Score: 6 Votes (Like | Disagree)
garylapointe Avatar
garylapointe
135 months ago
I tend to assume that there are ways around all forms of security protection.
But the app store has always made me feel a little safer...

Gary
Score: 4 Votes (Like | Disagree)
L
Lord Hamsa
135 months ago
I'm not particularly concerned about this "exploit". Anyone seeking to make use of it could just as easily put the malware directly in the developer-signed application in the first place. Why go through the extra steps of invoking additional applications when you can do it in the initial one?

The only thing that keeps the self-signed applications on the up-and-up is that the developer ID can be revoked for bad behavior - whether it's in the signed application or a bundled application called by it makes little difference if the developer is doing this intentionally.

The only real attack vector here is if an application is known to invoke "helper" executables, and someone executes a man-in-the-middle attack to create a modified distribution with the legit signed main application but with one or malware-infected helper executables, and then pass that off as a legit bundle. Possible, but limiting downloads to trusted/official sites will prevent that.
Score: 4 Votes (Like | Disagree)
J
JimmyHook
135 months ago
This is an old one. The "fix" is to download software from trusted sources only. Which is what you should do anyway. The guy even said it isn't a bug, it's a limitation in gatekeeper.
Score: 3 Votes (Like | Disagree)
Read All Comments