Apple laptop

Apple security hampers detection of unwanted programs

Anyone who uses Malwarebytes software is probably familiar with the fact that, in addition to things like malware and adware, Malwarebytes detects potentially unwanted programs (PUPs). These are programs that exhibit a variety of unsavory behaviors, but that, for legal reasons, cannot be called malware.

PUP (n): a program that may include advertising, toolbars, and pop-ups that are unrelated to the software you downloaded. PUPs often come bundled with other software that you installed.

/blog/glossary/pup/

For the entire history of Malwarebytes software on iOS—the system that runs on iPhones, iPads, and iPod Touches—there have been things we would consider to be PUPs on the iOS App Store. However, due to limitations imposed by Apple, we’ve been completely unable to scan or remove PUPs from those devices (iPhones or iPads). This is simply the reality of working within Apple’s ecosystem.

On macOS, however, we’ve always been able to detect and remove PUPs. Unfortunately, we’re seeing the first signs that this is starting to change—not just for Malwarebytes, but for all security companies.

PUPs on the App Store?!

Although PUPs on Mac can be downloaded either from the App Store or the web, the question of why PUPs exist on the App Store at all is a key factor in the problem at hand. The answer is pretty simple: because Apple and Malwarebytes have different tolerance levels.

At Malwarebytes, we have a very low threshold of tolerance for PUP behaviors. We’re very aggressive in our detection of PUPs, and we have an amazing legal team that helps make that possible. It’s not always an easy stance to take, but it’s one we believe strongly in and are willing to spend resources defending.

Apple, on the other hand, is essentially in a monopoly position. It owns the hardware and the systems, and if it decides you shouldn’t run a particular program, you won’t be running that program without some significant efforts. This makes Apple far more vulnerable to lawsuits, and it has to take a more conservative approach towards PUPs.

As much as I’d like Apple to be tougher on PUPs, I understand why it can’t be as aggressive as we are.

This is not to say Apple won’t do anything about PUPs, it just needs more evidence of egregious behavior before it can act. We’ve successfully lobbied Apple in the past to get PUPs removed from the App Store, while other times we’ve been unsuccessful.

A new technology

Starting in macOS 10.15 (Catalina), Apple introduced a couple important new technologies. The first is support for system extensions. These differ from the older kernel extensions in that they are safer and easier for developers to create. Kernel extensions could fairly easily cause catastrophic crashes and other issues if a developer wrote poor kernel code.

The second technology is the EndpointSecurity framework, designed to provide support for all the things that security software used to use kernel extensions for.

These technologies are not open to everyone, however. Developers have to apply for entitlements to be allowed to use them. These entitlements are not easy to get. It took some time for us to get them here at Malwarebytes, and there are people who have a legitimate use case for these entitlements who have been rejected.

Once you have these entitlements, though, there’s a significant advantage to using system extensions in security software: once installed, and approved by the user, they are protected by macOS. This means that they become nearly impossible to remove, except by the software that installed them in the first place.

This is a really great feature for security software that may be targeted for removal by malware in order to not be detected. However, it turns out there’s a problem with this protection.

PUPs protected against removal

One of the common sub-groups of PUPs we detect are antivirus programs that show unwanted behaviors meeting certain criteria. As an example, a program that requires payment, but the antivirus engine it uses is available for free from another company, would be a likely candidate for detection.

Unfortunately, antivirus programs are also candidates for the system extension and EndpointSecurity entitlements. Anyone can apply for these entitlements, but you stand a much better chance of getting them if you are—or appear to be—a security company.

We’ve now seen a case where two different companies with a long history of making PUPs—including junk antivirus programs—have gotten these entitlements. Those programs now have a system extension, which cannot be removed by Malwarebytes or any other software.

In one case, the PUP in question is the most hated PUP by Mac IT admins and Mac tech shops everywhere, and was the subject of two separate class action lawsuits alleging fraudulent behavior.

The fallacy of Apple security

For many years, iOS has existed as a locked-down environment, incapable of being scanned for malware by any app. Antivirus software does not—and cannot—exist on iOS.

Yet iOS is not invulnerable to malware. It is unfortunately possible for an iPhone to get infected. The most famous case involves the Pegasus malware, created by NSO and used to infect journalist Jamal Khashoggi’s iPhone. Khashoggi had no way to determine that his phone was infected, and had to trust that Apple’s system was as secure as claimed. Unfortunately, this may have led to his demise.

This is a dramatic story that by no means embodies the impact of all iOS infections… but it does underscore the fact that they exist, and there’s little that anyone outside Apple can do about it. Since well-written malware shows no symptoms that the average person would be able to identify, an infected iOS device is likely to stay infected.

Apple’s new EndpointSecurity feature was touted as a more stable way for antivirus software to do its job than low-level kernel extensions. However, they are under Apple’s tight control, and this is the first concrete sign that control may push macOS in the direction of iOS.

At this point, it’s hard to say what the future of antivirus on macOS is. It’s obvious that Apple has at least some interest in supporting antivirus software, as evidenced by the creation of the EndpointSecurity framework. This is distinctly different from iOS, where such a framework does not exist.

However, it is starting to look like antivirus developers will have to play by increasingly limiting rules, and that now means not being able to protect users against certain things. Worse, Mac users will be unable to manually remove those things without contortions that the average person will find quite cumbersome.

ABOUT THE AUTHOR

Thomas Reed

Director of Mac & Mobile

Had a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.