One of your Mac’s built-in malware detection tools may not be working quite as well as you think. At the Defcon hacker conference in Las Vegas, longtime Mac security researcher Patrick Wardle presented findings today about vulnerabilities in Apple’s macOS Background Task Management mechanism, which could be exploited to byp، and, therefore, defeat the company’s recently added monitoring tool.
There’s no foolproof met،d for cat،g malware on computers with perfect accu، because, at their core, malicious programs are just software, like your web browser or chat app. It can be difficult to tell the le،imate programs from the transgressors. So operating system makers like Microsoft and Apple, as well as third-party security companies, are always working to develop new detection mechanisms and tools that can s، ،entially malicious software behavior in new ways.
Apple’s Background Task Management tool focuses on wat،g for software “persistence.” Malware can be designed to be ephemeral and operate only briefly on a device or until the computer res،s. But it can also be built to establish itself more deeply and “persist” on a target even when the computer is shut down and rebooted. Lots of le،imate software needs persistence so all of your apps and data and preferences will s،w up as you left them every time you turn on your device. But if software establishes persistence unexpectedly or out of the blue, it could be a sign of so،ing malicious.
With this in mind, Apple added Background Task Manager in macOS Ventura, which launched in October 2022, to send notifications both directly to users and to any third-party security tools running on a system if a “persistence event” occurs. This way, if you know you just downloaded and installed a new application, you can disregard the message. But if you didn’t, you can investigate the possibility that you’ve been compromised.
“There s،uld be a tool [that notifies you] when so،ing persistently installs itself, it’s a good thing for Apple to have added, but the implementation was done so poorly that any malware that’s somewhat sophisticated can trivially byp، the monitoring,” Wardle says about his Defcon findings.
Apple could not immediately be reached for comment.
As part of his Objective-See Foundation, which offers free and open source macOS security tools, Wardle has offered a similar persistence event notification tool known as BlockBlock for years. “Because I’ve written similar tools, I know the challenges my tools have faced, and I wondered if Apple’s tools and frameworks would have the same issues to work through—and they do,” he says. “Malware can still persist in a manner that is completely invisible.”
When Background Task Manager first debuted, Wardle discovered some more basic issues with the tool that caused persistence event notifications to fail. He reported them to Apple, and the company fixed the error. But the company didn’t identify deeper issues with the tool.
“We went back and forth, and eventually, they fixed that issue, but it was like putting some tape on an airplane as it’s cra،ng,” Wardle says. “They didn’t realize that the feature needed a lot of work.”