macOS Malware MacSync Stealer Bypasses Gatekeeper, Evades Apple Protection

Executive Summary

A new evolution of the macOS infostealer known as MacSync Stealer demonstrates how modern malware authors are increasingly abusing trusted platform mechanisms rather than attempting to defeat them outright.

Security researchers have identified a variant of MacSync that is delivered as a signed and notarized Swift-based application, allowing it to bypass Apple’s Gatekeeper protections without requiring terminal commands or explicit security overrides from the user.

This technique significantly lowers the barrier to infection and challenges the long-standing perception that notarization alone provides sufficient protection against malicious software on macOS systems.

Technical Analysis

Unlike earlier macOS malware families that relied heavily on social engineering or manual user actions, the latest MacSync Stealer variant adopts a far more subtle execution model.

The infection chain begins with a disk image (DMG) that contains a legitimately signed and notarized installer application. Because the binary passes Gatekeeper verification, macOS allows it to execute without displaying the usual warning dialogs associated with untrusted software.

Once launched, the installer performs minimal visible actions while silently retrieving a secondary payload from a remote server. This second-stage component is responsible for harvesting locally stored credentials, browser session data, and potentially sensitive user files.

By separating the trusted installer from the malicious payload, the attackers effectively exploit Apple’s trust model rather than breaking it, making detection and user suspicion far less likely.

IOC and Vectors

The primary infection vector observed in this campaign is the distribution of signed DMG installers masquerading as legitimate communication or productivity applications.

Known characteristics include:

• Swift-based installer binaries
• Apple Developer ID signatures later revoked
• Encrypted network requests to retrieve secondary payloads
• Background execution without persistent UI elements

At the time of analysis, no kernel-level exploitation has been observed; the attack relies entirely on user execution of a trusted-looking installer.

What to do Now

macOS users and organizations should immediately review their software installation practices and reduce reliance on notarization as a sole trust indicator.

Restricting application execution to approved sources, enforcing Mobile Device Management (MDM) controls, and deploying endpoint protection capable of behavioral analysis are critical steps.

Users should avoid installing software distributed outside the Mac App Store or trusted enterprise portals, even if the application appears signed and notarized.

Verification Steps

Administrators can verify exposure by reviewing:

• Recently installed applications not sourced from the App Store
• Network activity following installer execution
• Unexpected background processes launched by installer binaries

On managed systems, audit logs and EDR telemetry should be examined for secondary payload downloads occurring shortly after DMG execution.