Security News

Month in review: Apple security in February 2018

Posted on by

Apple security news February 2018

February brought to light four families of Mac malware: Intego discovered OSX/Shlayer, two RATs were found, and a popular Mac software download site distributed Trojanized versions of Firefox, OnyX, and Deeper.

Meanwhile: a single Telugu character allowed pranksters to crash iOS devices and Macs, Apple’s T2 chip brings security improvements to the new iMac Pro, and a government contractor claims it can unlock any iOS device. Read on for these stories and more!

New Mac Malware: OSX/Shlayer Discovered by Intego

In mid-February, Intego researchers discovered OSX/Shlayer, an interesting new twist on a classic malware attack. OSX/Shlayer comes in the form of a fake Flash Player installer, but what’s unusual is that it leverages code-signed shell scripts to do its dirty work.

Intego researchers found OSX/Shlayer spreading via BitTorrent file sharing sites, appearing as a fake Flash Player update when a user attempted to select a link to copy a torrent magnet link. Of course, readers who don’t search for torrents should still be wary; fake Flash Player alerts can be found in many places on the Web.

OSX/Shlayer is both a Trojan horse—meaning that it masquerades as something that it’s not, in this case a Flash Player installer—and a dropper, meaning that its main purpose is to download a secondary infection.

Intego observed variants of OSX/Shlayer downloading and installing OSX/MacOffers or OSX/Bundlore adware onto infected Macs.

Intego VirusBarrier was the first anti-virus software to detect this malware; its three variants are detected as OSX/Shlayer.AOSX/Shlayer.B, and OSX/Shlayer.C. VirusBarrier also detects the secondary adware infections.

For more details about OSX/Shlayer, shell scripts, and code signing, see our featured article:

OSX/Shlayer: New Mac malware comes out of its shell

New Mac Malware: OSX/Coldroot RAT

Coincidentally, the same weekend that Intego researchers discovered OSX/Shlayer, Patrick Wardle smelled a RAT.

In preparation for a talk at an upcoming security conference, Wardle searched VirusTotal for a sample of malware that attempts to directly modify a macOS database file (TCC.db) to grant itself special permissions. He found a sample that was undetected by all 60 of VirusTotal’s anti-virus engines but that nevertheless looked suspicious to a trained researcher’s eye.

Wardle discovered that the sample was a previously undetected RAT—a remote administration tool designed to be installed with malicious intent, without the user’s knowledge. Evidently developed in 2016 and 2017, the malware had kept a low profile until Wardle’s discovery.

The RAT, which Intego VirusBarrier detects as OSX/Coldroot, has the capability of performing a number of functions for a remote attacker such as:

  • log everything the user types, including passwords
  • list, rename, or delete files and folders
  • list the apps that are currently running
  • launch or quit apps
  • download or upload files
  • determine which window is currently in the foreground
  • stream continuous screenshots to the attacker
  • shut down the computer

For more details about OSX/Coldroot including how to know whether your Mac is infected, and for a comparison with other recently discovered Mac RATs, see our featured article:

OSX/Coldroot and the RAT invasion

New Mac Malware: OSX/EvilOSX RAT

Coldroot wasn’t the only RAT discovered in February.

EvilOSX RAT logoOSX/EvilOSX, which first appeared in 2017, coincidentally came out with a new variant right around the time that Wardle discovered OSX/Coldroot.

Interestingly, in spite of including features that are overtly malicious in nature, EvilOSX is developed as open-source software that’s freely available on GitHub, a popular software development repository.

This makes it relatively easy for any would-be attacker to download the software and use it to gain remote administrator privileges over someone else’s Mac—as long as they can get physical access, or can trick a victim into installing the software.

An attacker can supposedly leverage EvilOSX to do things such as the following with a victim’s Mac:

  • take a picture using the Mac’s built-in camera
  • retrieve passwords from Google Chrome
  • retrieve browser history from Safari and Chrome
  • retrieve iCloud tokens and contacts
  • phish for iCloud passwords via iTunes
  • download or upload files
  • engage in a denial of service (DoS) attack

Intego detects this RAT as OSX/EvilOSX. For more details, see our featured article:

MacUpdate Mistakenly Distributes Trojanized Apps

At the beginning of February, popular Mac software download site MacUpdate unintentionally distributed infected copies of three Mac apps: Mozilla’s Firefox browser, and Titanium Software’s utility apps OnyX and Deeper.

Evidently, attackers successfully tricked MacUpdate admins into changing the download links for the three apps by registering look-alike domain names. The attackers had repackaged the legitimate utilities and added a malicious payload to them: dropper malware that would download a cryptocurrency miner hosted on Adobe Creative Cloud servers.

It’s generally safest to download apps from Apple’s official App Stores if possible. Whenever an app isn’t available though the Mac App Store (as is the case with Firefox, OnyX, and Deeper), it’s safest to download the software directly from the developer’s own site rather than trying to obtain them via a third-party download site.

If you’re interested in all the technical details about the malware, you can read Patrick Wardle’s write-up.

Intego VirusBarrier detects the infection’s components as OSX/CreativeUpdater and OSX/Miner.

New iMac Pro’s T2 Chip Enhances Security

Apple announced that its new iMac Pro desktop computers contain an Apple chip called T2, which improves both security and performance. T2 is the successor to the T1 chip included in Apple’s MacBook Pro with Touch Bar.

Apple says that its T2 chip includes “a Secure Enclave coprocessor that provides the foundation for new encrypted storage and secure boot capabilities.”

Let’s just hope that Apple’s inclusion of a chip called “T2” doesn’t mean that Judgment Day is nigh.

For more details, see our featured article:

Apple’s New iMac Pro Delivers Enhanced Security with the T2 Chip

Apple Security Updates

Apple issued security updates on February 19 for macOS High Sierra (as a Supplemental Update for 10.13.3), iOS (as 11.2.6), watchOS (as 4.2.3), and tvOS (as 11.2.6).

The updates addressed only a single vulnerability, via which “a maliciously crafted string” of characters could cause memory corruption, leading to a crash or unstable state.

The bug became widely known in mid-February when a particular Telugu character sent via iMessage or through third-party messaging apps caused Apple devices to crash (as discussed on the Intego Mac Podcast).

Interestingly, the bug may have been reported to Apple more than a month earlier; Apple seems to have reserved the bug’s CVE number on January 2.

For more details on the updates, see our featured article:

Apple Releases Security Updates to Patch the Telugu Character Bug

iBoot Source Code from iOS 9 Leaked

Source code from iOS 9’s version of iBoot, the bootloader portion of Apple’s mobile operating system, was leaked on GitHub in early February, reports TechCrunch.

Although this does not pose an immediate threat to iOS device users, it could potentially give hackers greater insight into how Apple’s boot process works. Motherboard notes that past vulnerabilities in iBoot have enabled “jailbreakers and hackers to brute-force their way through the iPhone’s lock screen and decrypt a user’s data,” but thanks to the Secure Enclave Processor and other modern enhancements, such a leak poses less risk today.

Motherboard later reported details about how the iBoot source code was leaked, allegedly through an intern who worked at Apple’s Cupertino headquarters in 2016.

Cellebrite Claims It Can Unlock Any iOS Device

Cellebrite, the Israeli company which the FBI allegedly hired to unlock San Bernardino shooter Syed Farook’s iPhone, claims it now has the capability to unlock any iOS device running all recent versions of the operating system, from iOS 5 through the latest iOS 11.2.6, reports Forbes.

iPhone 8 and iPhone XThe company can reportedly unlock all iOS devices, including all models of iPhone (even the newest ones, iPhone 8 and iPhone X), iPad, iPad mini, iPad Pro, and iPod touch.

Rather than offering this feature via software to governments and law enforcement agencies, Cellebrite requires that agencies must physically send devices to the company. Presumably, Cellebrite’s goal is to delay the inevitable: Apple eventually finding and patching the vulnerability that’s being used to break into the devices.

Should privacy-conscious iOS users be worried? Perhaps not. Cryptography expert Bruce Schneier remarks that,

“There’s… a credible rumor that Cellebrite’s [methods] only defeat the mechanism that limits the number of password attempts. It does not allow engineers to move the encrypted data off the phone and run an offline password cracker. If this is true, then strong passwords are still secure.”

Other Security News, in Brief

There were other notable goings-on in the security world in February. Some highlights:

  • Four episodes of the Intego Mac Podcast were published in February. Be sure to subscribe to make sure you don’t miss any future episodes! This month’s topics included:
  • Flag of the People's Republic of ChinaApple has begun hosting Chinese citizens’ iCloud accounts in a new data center in China to comply with Chinese law, reports Reuters; this allows Chinese authorities to avoid having to go through the U.S. legal system to request access to Chinese citizens’ iCloud accounts
  • Apple warns how to avoid App Store and iTunes Store phishing e-mails in a new support document
  • Those who have bought or sold a used Mac, or who are considering doing so, should read Brenden Mulligan’s report about how he unknowingly had access to a Mac’s location for 3 years after he sold it
  • More than four thousand sites—including U.S. government sites—were hijacked for cryptominingMonero cryptocurrency logo, facilitated by the sites’ use of Browsealoud, a JavaScript file hosted on a third-party site that was compromised, reports Graham Cluley; the attackers only mined U.S. $24 worth of Monero cryptocurrency before being shut down, reports The Guardian
    • In case you missed it, we covered cryptojacking—and how to protect yourself from it—in the November 15 episode of the Intego Mac Podcast
  • Have I Been Pwned launched a new version of its Pwned Passwords service that allows users to look up whether a password has been leaked in a past data breach, reports service creator Troy Hunt; AgileBits reports that it has updated its online password manager to integrate with this lookup service
  • Open Whisper Systems has launched the Signal Foundation, a 501(c)(3) nonprofit organization, to support the development of Signal, a popular secure messaging app, reports OWS founder Moxie Marlinspike
  • As a reminder, in the United States tax season began on January 30; U.S. citizens should file their tax returns as soon as practical to help prevent scammers from fraudulently filing for you

Stay Tuned! Subscribe to The Mac Security Blog

Be sure to subscribe to The Mac Security Blog to stay informed about Apple security throughout each month.

Also, each week we discuss Mac and iOS security news and other topics of interest on the Intego Mac Podcast. You’ll want to subscribe in iTunes/Podcasts to make sure you don’t miss any shows! Show notes are available at

Last but not least, be sure to subscribe to the Intego YouTube channel to get informative video updates, and click on YouTube’s bell icon (?) so you’ll get notified when each new episode is available.
T2 chip image credit: Henriok. “Cold root” image composed by Joshua Long using public-domain images of roots and icicles.

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →