Extended attributes operate below much of the radar coverage in macOS. Although code contained in an extended attribute isn’t – I don’t believe – directly executable from there, it can easily be loaded into memory, and written out to a conventional data file.

One odd shortcoming of Gatekeeper is that code signatures, now required for almost anything which is executable on a Mac (there are exceptions and loopholes still, though), ignore everything stored in extended attributes. It’s easy to demonstrate this, as you can apply Finder tags to the executable code and other files within an app bundle, and when you next launch it, it will run perfectly normally, as if they weren’t there.

I went to extremes to test this by adding an 80 KB thumbnail image, a bunch of my own custom xattrs including another copy of that image in binary form, and some Finder tags. I also added Finder Info which claimed the code file was a really a JPEG image.

The Finder even tried to display the thumbnail image, although QuickLook was seriously confused by it claiming to be a JPEG.

In spite of all that conflicting and potentially harmful payload, the app ran fine – even when I tagged it with a valid Gatekeeper quarantine flag to force a full check.

This might explain why iCloud Drive has become so fussy about the extended attributes which it preserves when used as a conduit between different Macs.

(Un)fortunately, there are easy workarounds for someone wanting to preserve their xattrs. Disk images, for instance, preserve all sorts of weird and wonderful xattrs, including all those that I tested above.

Although I don’t know of any malware which currently uses xattrs, I suspect that no anti-malware products bother to check xattrs either. Perhaps a cursory glance to see if any are unusually large, or of custom types, might be a pre-emptive move worth considering.

None of this is novel, either. It’s actually quite ancient, and goes back before Mac OS X, as in Classic Mac OS executable code was stored in code resources (which would now be xattrs of type com.apple.ResourceFork): a prime target for malware developers.