Apple has recently released the XProtect, and antivirus technology mainly created for the YARA signature-based detection of any suspicious malware that can infect macOS. However, it has been reported that this act of Apple to potentially protect its operating system via XProtect has seemed to fail since the surfacing of a fresh variant of malware called AdLoad. The AdLoad malware is capable of evading the XProtect antivirus and fully attacking and infecting macOS.
There have been multiple attacks that occurred beginning November of 2020, and a much more activity increase was detected around July to August 2021. This research was reported by the cybersecurity firm SentinelOne.
Moreover, they have observed that from over 220 samples that have been run for a test, there are at least 150 of which were not identified and detected by Apple’s built-in antivirus XProtect.
As of now, the samples have been updated, with about a dozen of Adload signatures detected. The samples identified by researchers have an authentic signature from the Developer ID certificates that are issued by Apple itself, and the rest are made to be tested at the default Gatekeeper settings.
In addition to the researchers’ reports, the AdLoad malware has been active through many campaigns even before.
How the AdLoad Malware Bypass
Typically, the AdLoad malware’s initial steps into bypassing Apple’s XProtect is by installing a MITM or a Man-in-the-Middle web proxy during an attack. The MITM’s task is to steal the victim’s search engine results from its Mac device and then inject random advertisements into web browsers to steal sensitive data such as the victim’s financial information.
To persist its infection from the already attacked Mac devices, the AdLoad malware will then install LaunchDaemons and LaunchAgents.
Other malware families previously exist
It seems like not only the AdLoad malware is capable of bypassing Apple’s built-in antivirus systems. There were also previous reports that state that various malware groups are discovered to attack security systems inside Mac devices.
Zero-day exploitation was detected last May of 2021 when the up-to-date macOS release (CVE-2021-30713) was compromised to bypass Apple’s Transparency Consent and Control (TCC) framework. Before that, in April of the same year, the same zero-day exploitation was done by a malware called Shlayer, which aimed to bypass Apple’s Gatekeeper, File Quarantine, and Notarization security checks.
To conclude, it is evident that Apple has to immediately take action and step up its protection system to further protect its Mac devices against malware like Adload, which gets wiser each day.