One of yours Mac’s built-in malware detection tools may not work as well as you think. At the Defcon hacker conference in Las Vegas, longtime Mac security researcher Patrick Wardle presented current findings about vulnerabilities in Apple’s macOS Background Task Management mechanism, which can be exploited to bypass and, therefore, beat the company’s recently added monitoring tool.
There is no foolproof way to catch malware on computers with absolute accuracy because, at its core, malicious programs are just software, like your web browser or chat app. It can be difficult to tell the legitimate programs from the infringers. That’s why operating system makers such as Microsoft and Apple, as well as third-party security companies, are constantly working to develop new detection mechanisms and tools to detect potential that malicious software behaves in new ways.
Apple’s Background Task Management tool focuses on watching for software “in progress.” Malware can be designed to be ephemeral and last only for a short time on a device or until the computer is restarted. But it can also be built to establish itself more deeply and “persist” on a target even if the computer is shut down and rebooted. Many legitimate software require persistence so that all your apps and data and preferences appear as you left them every time you turn on your device. But if the software builds up unexpectedly or unexpectedly, it could be a sign of something malicious.
With this in mind, Apple added the Background Task Manager to macOS Ventura, which launched in October 2022, to send notifications directly to users and to any third-party security tools running on a system when there occurs as a “continuing event”. This way, if you realize that you have just downloaded and installed a new application, you can ignore the message. But if you can’t, you can check the possibility that you have been compromised.
“There must be a tool [that notifies you] “If something keeps installing itself, it’s a good thing for Apple to add, but the implementation has been so poor that any malware that’s relatively sophisticated can evade monitoring,” Wardle said of his findings at Defcon.
Apple could not immediately be reached for comment.
As part of his Objective-See Foundation, which offers free and open source macOS security tools, Wardle has offered a similar maintenance activity notification tool known as BlockBlock for years. “Because I write similar tools, I know the challenges my tools face, and I wonder if Apple’s tools and frameworks have the same issues to solve—and they can, ” he said. “Malware can even proceed in a way that is completely invisible.”
When Background Task Manager first debuted, Wardle discovered some more basic issues with the tool that caused event notifications to continue to fail. He reported it to Apple, and the company fixed the mistake. But the company has not identified deeper issues with the device.
“We went back and forth, and eventually, they fixed that issue, but it was like putting tape on a plane that crashed,” Wardle said. “They don’t realize that part needs a lot of work.”