Attacks accessing Mac keychain without permission date back to 2011
Ars Technica 2015-09-02
On Tuesday, Ars chronicled an OS X technique that's being actively used by an underhanded piece of adware to access people's Mac keychain without permission. Now there's evidence the underlying weakness has been exploited for four years.
As documented by Twitter user @noarfromspace, the keychain-penetrating technique was carried out in 2011 by a piece of malware known as DevilRobber. The then new threat caught the attention of security researchers because it commandeered a Mac's graphics card and CPU to perform the mathematical calculations necessary to mine Bitcoins, something that was novel at the time. Less obvious was the DevilRobber's use of the AppleScript programming language to locate a window requesting permission to access the Keychain and then simulate a mouse click over the OK button.
Thomas Reed, who is director of Mac offerings at security firm Malwarebytes, said he tested the AppleScript on the current version of Apple's OS X and found it worked, as long as a user had already allowed the app running the script to control the Mac. On Monday, Reed disclosed the same technique was being used by the Genieo adware installer to gain access to a Safari extensions list that's protected inside the Mac Keychain. Coincidentally, researchers located in Beirut independently reported the technique on Tuesday, the same day Ars Chronicled the Malwarebytes' findings involving Genieo.