Mac malware gets more professional: DOK.C fakes the App Store

Until recently, most Mac malware has been decidedly amateur, and usually easy to spot with a watchful eye. Its use of well-known forged dialogs, particularly those of Adobe Flash Player installer, has often been sufficient to give it away, when you’re paying careful attention.

The abuse of developer signatures lately has been more worrying, although predictable. Provided that you as a user don’t get caught out before Apple has revoked an abused signature, Gatekeeper has been able to do its job and protect you.

Newly-detected malware, known as DOK.C, gives cause for greater concern, not because (for the moment) you are likely to encounter it, but because it fakes Apple’s App Store, as revealed by Rubio Wu of TrendMicro.

At present, DOK.C has been delivered in phishing attacks which have been targeting Swiss banks; so long as that doesn’t alter, you and I are hardly likely to receive a copy. That’s the good news: the rest is pretty bad.

DOK.C arrives as an email attachment which appears to be a Microsoft Word .docx document, or sometimes a Zipped app. If you are unfortunate enough to open that, a warning alert informs you that the document could not be opened; that appears to be generated by Microsoft Word, although it too may well be forged.

Just as you’re assuming that everything is OK after all, the malware is busy removing the App Store. As that app is protected by SIP, I presume that this exploits a vulnerability in SIP, which would be very worrying indeed.

Once the real App Store has gone, the malware presents a fake App Store screen advising OS X Updates Available. That screen appears to be quite a passable forgery of something the App Store might display, but does not. It also contains the errors that Apple would of course refer to macOS updates now, and that the App Store never displays available updates in this way.

When you click on the Update All button, the malware shows a good forgery of a password prompt. This is again potentially recognisable, as the special icon used indicates that the app asking for authentication is in fact Microsoft Word, not the App Store, and the text refers to the App Store as AppStore. These subtleties are important details which should alert users who have been foolish enough to be duped this far.

The malware then uses fake security certificates which only fool Safari, and not Firefox or Chrome, and sets to work hijacking network communications – full details are on the TrendMicro blog.

Spoofing the App Store is relatively unusual. Given the recent unpredictable behaviour of the App Store app, malware developers might be exploiting the growing difficulty that we have in knowing what is its normal behaviour. So far, DOK.C looks fairly plausible, but features some distinctive behaviours which should alert every user:

  • The bogus App Store app does not display App Store content, nor does it show any lists of apps or other personalised details.
  • It does not use the normal Updates screen to offer or install what purports to be an update.
  • The text refers to OS X, not macOS, even when running on Sierra, apparently.

The authentication dialog shown is an even better forgery, which fails less obvious details, including the icon shown, and reference to AppStore rather than App Store. This emphasises the importance of checking every dialog which requests authentication, to ensure that its icon is of the right type (an app superimposed on a padlock), and is consistent with the request being made.

There are many obvious lessons here, and no doubt malware developers will continue to learn the value of careful forgery. I will also be very interested to learn how DOK.C manages to remove the existing App Store app in the face of SIP, an issue not commented on so far. Further exploitation of that vulnerability could be of huge concern to all Mac users.