Last week, Jamf Threat Labs published new research on an additional version of the increasingly popular MacSync Stealer family, highlighting a growing problem in macOS security: the ability of malware to bypass Apple’s most important third-party application protection mechanisms.
This copy came inside a malicious app with a valid developer signature and was notarized, meaning Gatekeeper had no reason to prevent it from working.
Apple’s security model has historically worked well; Apps distributed outside the Mac App Store must be signed and notarized so they can run without complex additional steps.
But this model assumes that the signature is evidence of good faith. What is happening now reveals that attackers are obtaining real developer certificates and then delivering malware that looks exactly like legitimate applications upon installation.
Based on multiple sources familiar with the matter, attackers often rely on a combination of tactics, including using malicious apps with compromised developer certificates or purchased from illegal channels, which significantly reduces suspicion.
As shown in Jamf’s recent report, the first executable is simple and built in Swift, appears benign during Apple’s static scan, and does not exhibit malicious behavior at this point.
The real malicious behavior starts later, when the application connects to remote infrastructure to bring in additional payloads. If these payloads are not present during the authentication process, but are only activated in the actual usage environment, the scanning tools will not find any malicious activity during the evaluation.
The authentication process only verifies what is provided at review time, not what the application might fetch later, and attackers are designing their schemes around this gap.
The first known case of a documented malicious application from Apple dates back to 2020. Similar cases have been repeated since then, including one last July. Has the problem reached a serious stage? Maybe not yet. Just one case is a lot from a security point of view, but at the same time it does not mean the entire system collapses.
It’s easy to blame Apple, but the security system works within what it was designed to do. Signing and authentication were not an absolute guarantee that the application would be safe forever, but rather a way to link the application to a real developer whose certificate could be withdrawn when misuse was discovered.
This attack method is a path worth following through 2026, but ultimately it reminds us that the best way to protect yourself from malware is to download apps directly from trusted developers or from the Mac App Store.
