Security Bits Logo no alpha channel

Security Bits — 14 August 2022

Feedback & Followups

Deep Dive 1 — Malware in the Mac App Store

News broke this week that threat actors managed to sneak malware into Mac AppStore apps using a kind of time-bomb feature where the apps were benign until after they were reviewed, and then they changed their behaviour to become malicious. All the apps affected offered real functionality, otherwise, they’d not have made it through review, but then they developed some nasty side effects. It’s not clear how this is possible, but statements from Apple imply that the apps completely changed functionality after passing review. I don’t quite understand how that would work, but I sure hope Apple figure out how to nip that behaviour in the bud!

The most high-profile app was one for managing Facebook ad buys which hijacked Facebook accounts so the attackers could run their ads on the victim’s dime. According to Apple this app was originally a document manager and passed review as such, but then transformed into an app for managing Facebook ads, and managed to become very highly rated as such on the Mac AppStore.

This suggests to me that app updates don’t get sanity checked by a human anymore, otherwise, you’d imagine the reviewer would notice the dramatic pivot and send the app off for deeper review again. That’s just a guess though.

Another researcher, Alex Kleber, reported finding seven malicious apps which had used this morphing technique to bypass the review process. Again, these apps offered legitimate functionality (mostly PFD & Word related), but accepted commands from remote servers and tried to trick users into paying for expensive subscriptions. The research was vouched for by Patrick Wardle, so it seems legitimate. These apps had a lot of downloads, so this was not a niche problem. You’ll find the list of apps in the Medium post linked below.

Perhaps the most worrying thing about all of this is that Facebook say they notified Apple about the malicious ad manager in mid-July, but Apple did not act until asked for comment by Business Insider last week. It seems the bad guys have found a weakness in Apple’s process, and they’re actively exploiting it. The best we can hope for is that Apple close the loophole down ASAP!

Assuming Apple are able to adjust their process, it’s important not to lose sight of the fact that even with these 8 malicious apps making it into the store, Apple’s walled garden remains a lot safer than the general internet!


Deep Dive 2 — The Traffic Light Protocol Gets an Update

If you work in IT in any organisation that has relationships with other organisations (i.e. if you work in just about any organisation), there will be times when sensitive information needs to be shared about some kind of cybersecurity risk or incident. In these kinds of situations, it’s important that everyone knows how widely that information should be shared. Each organisation could develop its own rules, but that would result in chaos, especially when messages need to go between organisations, so, the FIRST (the Forum of Incident Response and Security Teams) have developed a very simple standard that’s very widely used — the Traffic Light Protocol, or TLP. That protocol just moved from version 1 to version 2, so now seems like a good time to share this important piece of knowledge with the community.

Firstly, you’ll recognise emails as being under the Traffic Light Protocol because their subjects will be pre-fixed with TLP and a colour. As of now, there are five colours (stretching the definition a little!):

  1. TLP: CLEAR (formerly TLP: WHITE) — the information can be freely shared, even publicly
  2. TLP: GREEN — the information can be shared freely within the cyber security community, but not publicly (you can’t Tweet or blog about it!)
  3. TLP: AMBER — the information can only be shared within your organisation, including with contractors/vendors/customers
  4. TLP: AMBER+STRICT (new) — the information can only be shared within your organisation, not including contractors/vendors/customers
  5. TLP: RED — the information can only be shared between explicitly specified recipients.


❗ Action Alerts

Worthy Warnings

Notable News

Interesting Insights

Just Because it’s Cool 😎

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

1 thought on “Security Bits — 14 August 2022

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top