The hackers who created the spyware discovered the way to hijack a macOS privacy feature known as Transparency Consent and Control. This trick works over those apps that have already been approved for permission by the user.
The TCC is the feature that raises a flag when an app is doing something that might affect users’ privacy, such as taking photos or recording keystrokes, asking for explicit permission from the user before any action is taken. The malware coders found a way to hijack other apps’ permissions, ones that have already been approved by the user.
Jamf explained the bug with an example, the malware could create an app within Zoom, the hugely popular videoconferencing app, that would secretly record what’s happening on the screen. Because the malicious app effectively hooked into Zoom, which already had permission to carry out the screen recording, no prompt warning about the action would land on the Mac users’ screen, according to Jamf. Thus far the hackers have only been seen abusing the flaw to take screenshots, but the same exploit could be abused to pilfer files, record audio over the microphone or take images via Mac’s camera, Jamf said.
According to Apple, the bug has been fixed in its latest version of macOS, BigSur 11.4 which was released on Monday. Apple also mentioned that the issue only affected users who downloaded the application from other than the app store. Thus Apple also commented that the safest place to download software is the Apple Mac App Store.
Two other actively exploited issues ( CVE-2021-30663 and CVE-2021-30665 ) in the WebKit browser engine affecting Safari devices, Apple TV 4K and Apple TV HD have also been fixed.