Security researcher Filippo Cavallarin has identified a flaw in the MacOS Gatekeeper authentication system which, if properly exploited, can allow the delivery of a malicious software package that can ultimately take control of the system.
As the Apple explains in the official support page, Gatekeeper is the feature present in Apple’s operating system since 2012 that aims to keep the system safe from malware by screening the downloaded apps: those from the App store and from developers identified are opened without problems, those that are not recognized to need a confirmation from the user.
Screening does not take place, if an app is transferred from a local storage unit, which has been activated via automount (another basic macOS feature). It is by deceiving Gatekeeper into believing that a downloaded file was actually originating from a local drive that Cavallarin was able to bypass the verification protocols. The security researcher contacted Apple last February to notify the problem, but having received no response he decided to make the discovery public on May 24th.
Apparently, the vulnerability has been exploited to spread a malware, identified by the security company Intego. This is the OSX/Linker package, which allows you to take full control of the targeted machine.
The OSX/Linker code has been uploaded four times on VirusTotal, a repository that researchers use to share and recognize malware examples: it is a fairly low occurrence, and the fact that the malware has already been recognized by Intego makes it probable that can also be identified by other antivirus tools.
At this point, it should be fairly easy to avoid OSX/Linker malware, especially if you avoid downloading material from unreliable sources. A further countermeasure – before an official patch – can be to disable the automount, with the flip side of having to manually activate (mount) external drives whenever they are used.