Notarized Mac App That Downloads Malware
Jamf Threat Labs observed a signed and notarized stealer that did not follow the typical execution chains we have seen in the past. The sample in question looked highly similar to past variants of the increasingly active MacSync Stealer malware but was revamped in its design.
Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more deceptive, hands-off approach. Delivered as a code-signed and notarized Swift application within a disk image named
zk-call-messenger-installer-3.9.2-lts.dmg, distributed viahttps://zkcall.net/download, it removes the need for any direct terminal interaction. Instead, the dropper retrieves an encoded script from a remote server and executes it via a Swift-built helper executable.
The stealer emerged in April 2025 as Mac.C by a threat actor named ‘Mentalpositive’. It gained traction by July, joining the less crowded but still profitable space of macOS stealers alongside AMOS and Odyssey.
A previous analysis of Mac.C by MacPaw Moonlock indicates that it can steal iCloud keychain credentials, passwords stored on web browsers, system metadata, cryptocurrency wallet data, and files from the filesystem.
I hate to say I told you so but…who am I kidding, I love to say I told you so. In 2019 I wrote a prescient blog post, The true and false security benefits of Mac app notarization, in which I foretold such an attack, suggesting that notarization is security theater.
[…]
Many of the Mac malware “protections” that Apple has added over the years are merely punishments for Mac users and honest Mac developers, making their computing life more miserable while leaving gaping holes for malware to sneak through. (See my own Apple Security Credits, as a Mac developer, not a professional security researcher, and those are just issues that Apple fixed, not all of the issues I discovered.) Earlier this month 9to5Mac also reported, Apple security bounties slashed as Mac malware grows, a tacit admission by Apple of this hopeless situation.
it was always about creating fear around the well established practice of installing apps from outside the App Store.
Previously:
- Evolution of Apple Security Bounty Program
- Hydromac Malware
- More Notarized Mac Malware
- Notarized Mac Malware
- Catalina Removes Malware Assurance
- The True and False Security Benefits of Mac App Notarization
Update (2025-12-30): Jeff Johnson (Mastodon, Rosyna Keller):
My assumption all along was that notarization is intended to stop malware authors from distributing their own maliciously crafted apps, and in this respect I still think notarization is security theater. However, perhaps my assumption was wrong. What if the purpose of notarization is more narrowly focused, to prevent supply chain attacks like XcodeGhost? The requirement of uploading the built app to Apple for a malware scan is not very good at stopping a determined attacker with full control over app creation, submission, and distribution who is intentionally trying to sneak malware past Apple. On the other hand, the notarization requirement can stop an unwitting developer who is unintentionally distributing known malware in their app only as a carrier, a dupe, already a victim themselves.
The timeline of notarization seems a bit off, three years between 2015 and 2018 for Apple to engineer a mitigation for the massive, damaging XcodeGhost supply chain attack. I don’t see a sense of urgency there; it would be practically lackadaisical. Nonetheless, the motivation and implementation would make sense in light of XcodeGhost.
Is this blog post a mea culpa by me? Maybe! I now acknowledge there may be some security benefit to notarization. Whether the benefit outweighs the many downsides is another question, though. In any case, it would have been nice if Apple had made some kind of public, official statement like, “Hey, we’re introducing notarization because of XcodeGhost,” and then the whole thing would have made sense to everyone from the beginning. Instead, Apple chose its habitual path of greatest resistance, security by obscurity.
Previously:
4 Comments RSS · Twitter · Mastodon
Notarization is one of my least favorite things Apple has done in the last decade. I knew it was pointless back then and I'm with Jeff in wanting to say "I told you so." Not that it matters. Apple knew what they were doing, and knew they were being dishonest.
This completely destroys the security of the App Store and app notarization. They don’t even need to exist anymore because this fully bypasses them
No wonder Apple PR department is backing away from security as the main raison d'être for their app stores.
They don't have the will to ensure it.
> it was always about creating fear around the well established practice of installing apps from outside the App Store.
It is also a bit about making money since it is not possible for a developer to notarize himself/herself app(s) when his/her developer membership is expired.
