Anatomy of OS X's Gatekeeper and Phony (and legitimate) Installers

by: JimmyCMPIT

Last modified: Jun 8, 2017 8:53 AM

3 3438 Last modified Jun 8, 2017 8:53 AM

Introduction

[edited 06/08/17]

A phony installer package possibly the easiest way to infect your computer with malicious software. Unlike trying to force a malicious program on to your system without a users knowledge this distribution method employs the user sitting at the computer to install a phony software package directly to their own computer. Like any con-game the scam relies on the user to download a package they think is the genuine application but in reality is a compromised version or more often not the software it's claiming to be.

While there are many such scams out there on Mac and Windows this document focuses on Apples built in Gatekeepers role in preventing (or accidentally facilitating) the install, and malicious malware trying to pretend it's Adobe Flash Player hoping you don't question it's legitimacy and install something that was never Adobe Flash to begin with.

While this document is primarily for Mac OS X as it focuses on Gatekeeper some of the concepts in this would apply to other scams based off this procedure on either Mac or Windows. The purpose of this document is to try and educate users as to identifying these scams and avoiding them or dealing with an infection.

OS X Gatekeeper and its role with identified and unidentified developer sofware

OS X's Gatekeeper which appears in OS X 10.7.3 and later by default should block installs by identifying the developer of software. Phony software developers often do not have developer licenses as Apple requires proof of the developers identity in order to have a license, but it's also possible that legitimate software developers also do not have licenses with Apple for a number of legitimate reasons (more on this in a moment) so the Gatekeeper system is not entirely fool-proof and its default protective mechanisms can be changed by the admin to allow installed software by identified and non-identified developers alike.

Gatekeeper can be accessed from  -> System Preferences... -> Security & Privacy ->General

Selecting the radio button for "Anywhere" in the Gatekeeper running in OS X versions 10.7.3 to 10.11.x will bypass the developer check and the OS will install whatever you want without initiating any check.

In OS 10.12 now prevents "Anywhere" to appear unless it is "triggered" directly after an attempted install from software with an unknown or no developer license. "Anywhere" will appear only when the user tries to launch software with from an unknown developer the first time:

Gatekeeper OS X 10.11

Gatekeeper OS X 10.12

Functionality to allow software from "Anywhere" is no longer a selectable change for the system.

It's important to know a few things:

1) Not all developers who are not identified by Apple are making malicious software and on the contrary some very viable (and IMHO amazing) software comes from developers who are not recognized by Apple Computer as legitimate. Open Office, Blender, Gimp, are perfect examples of free, commercial use alternatives to otherwise popular software packages that not everyone can obtain but the developers do not have developer licenses and regardless of their legitimacy gatekeeper will restrict them by precaution.

2) Some older software from Adobe, Microsoft, etc. may predate having a valid licenses to it's not uncommon to see Gatekeeper block try to block an install from and older package that came from known developers.

3) Some unscrupulous developers may get hold of legitimate developer information to try and bypass this system. Use vigilance when downloading software when you are told to, especially on sites that may seem suspicious to begin with.

Anatomy of a legitimate install from a developer without credentials

I'm now going to show what happens when I install software that (as far as I know) is legitimate but does not have a developer license with Apple, however I could perform this same procedure with an unidentified piece of software that was indeed fraudulent and doing so I would have just facilitated an install of something malicious for a hacker or scammer not needing to lift a finger.

In this example GIMP; a free and commercial use permitted Graphic Application that is popular with 3D artists, game modders and designers who are looking for a free alternative other software.

This status bar may fill up but it hasn't in the past few minutes and it's been hanging for a while.

A quick trip to Gatekeeper in OS 10.12 shows me this new option has appeared.

Clicking Open Anyway shows this:

Clicking OK will install the software, I only need to do this one time and next time I open this particular package I do not need to go through all this again, at least for GIMP.

Consider the following:

• At the time of this writing there have been no reports of a malicious package using a legitimate developers identifiable code to bypass this safeguard, so keeping Gatekeeper enabled is in your best interest, you can manage it as you need to.

• Sold on the App Store or not; not every piece of software with an identified developer license has any guarantee of quality control for OS X. Having a license for Gatekeeper shows that the developer identified themselves to Apple as being who they claim to be but nothing about testing the software or it's stability is a prerequisite for them to have a license.

• "Cracked" offerings of MS Office, Adobe Creative Cloud, 3D Max, etc. have been targeted by hackers for packages distributed across the internet that claim to circumvent these packages anti-piracy prevention. Using software to do this is not only illegal it is a very common way to install malicious software that a scammer might feel is just deserts someone who would illegally use this software to begin with. Avoid 'cracked' software. It makes your computer highly susceptible to further attacks.

• The developers of legitimate software, many of which do not have licenses with Apple are providing alternate software for users who do not want to be bound by the constraints of more popular and often expensive software packages from big software companies. If you dislike paying for overpriced software try the free alternatives and maybe donate to them so the developers can buy a cup of coffee or hire additional staff!

Anatomy of a phony installer distribution method,

Sites are offering compromised or fraud software claiming to be "Flash" it can go down like this:

The window that this ad shows in is trying to look like it's coming from OS X.

Once that happens the webpage will deliver a phony pop up for their payload.

for example...

...or...

...or this...

While this type of scam is common with sites that offer warez or content you don't feel like paying right now or ever it has become more common on sites you would not necessarily associate with illegal and immoral activity

I have my priorities covered, I play guitar in a rock band 👿!

Real Flash vs. Fake Flash

(or Phlash as I think I may have just coined but am too lazy to check the internet)

If you need Flash and there is no way around it and a site is telling you to download it there is only one place in the internet to ever download it from and there are no exceptions:

https://get.adobe.com/flashplayer/

With an legitmate Adobe Flash from Adobe I wanted to compare the two installers:

I clicked Install, yes the fake install to see what happens next...

What happens next is the program downloads and opens an installer window on my desktop.

Lets compare fake flash to Adobe's genuine article:

Now I really want to commend these scammers on their attention to detail, they really were so subtle with the installer window its boggles the mind as to which one is which (spoiler; the real on is on the right!) This is often what's known as a tell of many scammers; they didn't bother to check what the developer does and tried their hand at creativity or just had some outdated garbage near by and they were lazy.

If something does not look right walk way like you would when you get a bad feeling from a used car salesman.

So lets compare file size:

Highlight the installer icon, hold down ⌘ and type "i"

The fake package is 1/10th the size of the genuine, and while I don't know what's in the package and even while Apple Gatekeeper is enabled I'm not going to click to find out.

There is a package here so lets take a closer look: Right Click on the install package and select "show package contents"

no, this will not install anything either, we are just taking a look.

Again, fake on the left, actual Flash on the right.

Well, what's in the fake flash?

The answer is I don't want to find out, at least not on my working computer. If I did I would build a Mac that I can take off the LAN and watch the fireworks if any and then re-format the hard drive when the fun ends.

Prevention

While there are no known virus for OS X and the findings on these forum point to Mac Anti-Virus packages being irresponsibly bad despite all the good they've done for Windows users who are intent on turning their macs into Windows boxes and destabilizing them with popular Windows names like "AVG, McAffee, Norton, etc." An AV package may never notice or block these attacks, even on Windows because they are facilitated by the user and their intention is unknown. There is adware for mac, there is malware, and while no where near the amount there is for Windows the number is growing because it would be impossible for it to do otherwise.

If you have fallen victim to something like this I will recommend both Malwarebytes for Mac and Etrecheck, as both of these packages were developed by two frequent (and invaluably helpful) contributors to these forms, Thomas R, and Etresoft (buy them coffee, or beer!)

I will reiterate what I always say about the state of OS X security:

Firstly

keep your OS X and iOS up-to-date, keep your Windows even more so up-to-date. Unlike Microsoft Apple is generally very quiet about what the included in a securities patch where Windows is practically egging on the hacker community with details of what they addressed.

Secondly

If a site is offering you something for free that is otherwise something you should be paying for see the link I sited earlier for just deserts

Safe browsing is where computer security begins and ends.

In Closing

So what am I'm attempting to do here?

Well, foster conversation about this type of scam, because it's a popular one and there seems to be no end to where it pops up and the fact that it can be found more often on sites you wouldn't consider unscrupulous may portend to a more concerning trend in distributing garbage or possibly far worse.

This user tip was generated from the following discussion: Anatomy of a Phony Flash Player (can we just call it Phlash?)