Cybersecurity researchers at Jamf have uncovered a unique and experimental malware targeting macOS users, which they believe was developed by North Korean state-sponsored hackers.
This malware, designed to appear harmless, uses Flutter—a versatile UI toolkit created by Google—to mask its true intent.
By creating fake applications mimicking crypto tracking tools and simple games, the malware aims to slip past antivirus detection and Apple’s stringent security protocols.
Fake Apps Disguised as Games and Crypto Trackers
Researchers recently detected six seemingly legitimate macOS applications, such as one called “New Updates in Crypto Exchange (2024-08-28).app,” on VirusTotal, a malware analysis platform.
While these apps appeared benign on the surface, functioning as simple minesweeper games or basic crypto tracking tools, they communicated with suspicious servers based in North Korea.
These apps are believed to represent “stage one” malware, which typically serves as an initial testing ground to understand how malware could evade detection and penetrate systems without triggering red flags.
Built with Google’s Flutter to Evade Detection
One unique aspect of this malware campaign is the use of Google’s Flutter, a powerful open-source UI development kit.
By using Flutter, developers can create apps for multiple platforms from a single codebase, including mobile (iOS and Android), web, and desktop environments.
Since Flutter relies on Dart, a language known for its inherent obfuscation capabilities, it can make malicious code much harder to spot.
As a result, the malicious applications initially appeared legitimate and even passed basic antivirus scans on VirusTotal. This advantage allowed the hackers to craft malware that could easily be disguised as routine software while hiding harmful code within.
Signed by Legitimate Apple Developer IDs, Now Revoked
In a sophisticated move, the malware was signed and notarized using genuine Apple developer IDs. This was critical to gaining initial user trust, as it enabled the apps to pass through Apple’s security checks, which usually prevent unauthorized or harmful software from entering the macOS ecosystem. Active Apple developer IDs signed five of the six malicious apps detected by Jamf.
However, Apple has since revoked these IDs, a critical step in halting the spread of the malware. This revocation highlights Apple’s vigilance in monitoring and responding to suspicious activity within its app ecosystem.
Malware Likely Just an Experiment, Researchers Say
Despite the malicious intent, researchers believe this malware was part of a broader experiment rather than a full-scale cyberattack.
The primary goal appears to have been testing whether North Korean threat actors could successfully disguise harmful code within a Flutter-based app, obscuring it within a dynamic library (dylib) while maintaining compliance with Apple’s notarization and app security protocols.
Jamf’s analysis suggests that this campaign might be a precursor to a larger attack. By experimenting with this method, North Korean threat actors can refine their techniques for future hacking campaigns, gathering critical data on how well their malware bypasses detection and whether it can gain access to macOS devices undetected.
In their report, Jamf stated, “The malware discovered in this blog shows strong signs that it is likely testing for greater weaponization. This could perhaps be an attempt to see if a properly signed app with malicious code obscured within a dylib could get approved by Apple’s notarization server, as well as slide under the radar of antivirus vendors.”
The Role of Flutter in Cybersecurity and Implications for macOS Users
The use of Flutter in malware development is notable, as it demonstrates how attackers can use versatile, legitimate software to create malicious applications that look entirely genuine.
This tactic also poses challenges for antivirus and cybersecurity tools, which may struggle to recognize malicious intent in multi-platform, open-source frameworks like Flutter.
For macOS users, this incident serves as a reminder of the importance of being cautious when downloading applications, even those that appear verified by Apple.
Users are advised to download software only from trusted, official sources like the Apple App Store and to regularly update their antivirus and security software to protect against evolving cyber threats.