What is ZhuGeSupport.framework service on macOS?
Hi, a similar question has already been asked in "The mystery of ZhuGe Service?" thread.
Though, it was suggested that this services was "just a part of coreaudio", it still looks suspicious. Especially when checking the list of allowed permissions that it has:
$ codesign -d --entitlements - /System/Library/PrivateFrameworks/ZhuGeSupport.framework/Versions/A/XPCServices/ZhuGeService.xpc/Contents/MacOS/ZhuGeService
Full list doesn't fit here, but here are just some of them:
[String] RosalineSerialNumber [String] RoswellChipID
[String] SavageChipID
[String] SavageInfo
[String] SavageSerialNumber
[String] SavageUID
[String] ScreenSerialNumber
[String] SecondaryBluetoothMacAddress
[String] SecondaryBluetoothMacAddressData
[String] SecondaryEthernetMacAddress
[String] SecondaryEthernetMacAddressData
[String] SecondaryWifiMacAddress
[String] SecondaryWifiMacAddressData
[String] SecureElementID
[String] SerialNumber
[String] SysCfg [String] SysCfgDict
[String] ThreadRadioMacAddress
[String] ThreadRadioMacAddress64Bit
[String] ThreadRadioMacAddress64BitData
[String] ThreadRadioMacAddressData
[String] TopModuleAuthChipID
[String] TristarID
[String] UniqueChipID
[String] UniqueDeviceID
[String] UniqueDeviceIDData
[String] WifiAddress
[String] WifiAddressData
[String] WirelessBoardSnum
Why would a "mere audio service" need to access all the available hardware identifiers? Or the real purpose of this service is something else, like reporting and tracking the user identification / fingerprint? And who gets this information? The name of the service suggests it has some Chinese roots...
It's very strange to see such unusual naming choice for a core service, if it's really a core service. Although, it's reported as being signed by Apple, but that only raises more questions:
$ codesign -d -vv /System/Library/PrivateFrameworks/ZhuGeSupport.framework/Versions/A/XPCServices/ZhuGeService.xpc/Contents/MacOS/ZhuGeService
Executable=/System/Library/PrivateFrameworks/ZhuGeSupport.framework/Versions/A/XPCServices/ZhuGeService.xpc/Contents/MacOS/ZhuGeService
Identifier=com.apple.ZhuGeService
Format=bundle with Mach-O universal (x86_64 arm64e)
CodeDirectory v=20400 size=1743 flags=0x0(none) hashes=44+7 location=embedded
Platform identifier=13
Signature size=4442
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=Jun 18, 2022 at 3:57:35 AM
Info.plist entries=21
TeamIdentifier=not set
Sealed Resources version=2 rules=2 files=0
Internal requirements count=1 size=72