Malware Continues to Attack Mac Users
3 Facebook x.com Reddit
North Korean hackers have disguised malware in seemingly innocuous macOS apps, using complex code to bypass security checks and attack unsuspecting users.
A recent discovery by researchers at Jamf Threat Labs has uncovered malware embedded in seemingly harmless macOS apps. Using the popular app-building tool Flutter, cybercriminals created apps that bypassed typical security measures.
Flutter, developed by Google, has become a favorite tool for building apps that run seamlessly across macOS, iOS, and Android. Its codebase allows developers to build an app once and have it look the same on all platforms.
But Flutter’s unique setup can also make things tricky, especially when it comes to detecting hidden code. In a typical Flutter app, the core code (written in Dart) is packaged into a “dylib” file, a dynamic library that is later loaded by the Flutter engine.
While this code structure is good for functionality, it naturally obscures the code, making it difficult to inspect. Hackers have taken advantage of this complexity by hiding malicious code in a way that makes it difficult to detect.
How the macOS Flutter Attack Works
Jamf Threat Labs discovered three versions of the malware, each designed for a different programming environment — Flutter, Go, and Python. All three used similar techniques to contact external servers, believed to be controlled by North Korea, to execute additional malicious commands.
The Flutter-based malware focused on a deceptive app called “New Updates on Crypto Exchange.” The app looked like a simple game, inviting users to play without suspicion.
However, hidden in its code was a function that connected to a domain previously associated with North Korean cyber operations. The function allowed the app to download additional malicious scripts capable of remotely controlling the infected Mac.
A mockup of the Flutter app. Image credit: Jamf Labs
Meanwhile, the Python variant posed as a simple notepad application and connected to a suspicious domain, downloading and running malicious AppleScript scripts to remotely control the victim’s computer. One of the most disturbing parts of the malware is its ability to execute remote AppleScript commands.
AppleScript is a tool in macOS that automates tasks and allows applications to communicate. The malware uses AppleScript to remotely control the device and perform actions such as collecting data or installing malware. Notably, the malicious scripts were written in reverse order to avoid detection.
How to Protect Yourself from Flutter Malware for macOS
There are no signs yet that these apps have been used in a real attack, but the malware appears to be in the testing phase. Given North Korea’s history of attacks on the financial sector, cryptocurrency users and companies could be in the crosshairs.
Users should download apps from Apple’s Mac App Store whenever possible, as apps available there undergo a security review. While the App Store review process is not foolproof, it does reduce the risk of downloading malware.
By default, macOS only allows users to download apps from the App Store and identified developers, a setting that can be found in the Privacy & Security section of the Settings app.
Another important step in staying secure is to regularly update macOS and installed apps, as Apple frequently releases security patches. Keeping your devices and apps up to date helps protect against newly discovered vulnerabilities.
Finally, be careful with cryptocurrency-related apps, as hackers often target them with fake versions. Apps that promise quick profits or “sound too good to be true” schemes can carry hidden risks.
Follow AppleInsider on Google News
