Since the advent of the OS X Gatekeeper component, designed to protect users from installing malicious or untrusted SOFTWARE, the experts tried to find vulnerabilities that can circumvent enhanced protection and install OS X on-device malware. As reported by Securitylab with reference to the Director of research company Synack Patrick Wardle, he managed to find a way to bypass Gatekeeper. His method is called the Apple dylib hijacking was presented at the Virus Bulletin conference in Prague, Czech Republic.
OS X operating system has several protection mechanisms against malware, GateKeeper is one of them. It limits the sources from which the user can download and install the app. By default, it is configured in such a way that to download the program only from the official catalog of Mac App Store where all apps are checked for viruses. The user can configure the protection so that you can install apps not only from the Mac App Store, but directly from the developers, as well as from any source (if GateKeeper is disabled).
Before running the application Gatekeeper performs a number of checks. Usually it is not possible to run unsigned apps and programs downloaded from third-party sources instead of the Mac App Store. Wardle argues that when run not check that the app starts or loads other programs or libraries. By convincing a victim to download infected software signed with a third-party app store, an attacker could upload a malicious library using an unprotected HTTP connection.
Wardle used a specially formed library Apple and Packed them in a DMG file, and then persuaded another scientist to run it. Immediately after launching the DMG file looking for malicious executable file and run it without the user’s knowledge.
The researcher stated that without exception, all versions of OS X, including OS X 10.11 El Capitan, vulnerable to this method of attack. He notified Apple about this vulnerability, and currently the company is developing a fix.