Mac verified apps hijacked by attackers represents one of the most dangerous shifts in macOS security in years. Hackers are stealing developer authentication keys to impersonate legitimate applications, bypassing Apple’s built-in protections and exposing approximately 100 million Mac users worldwide to data theft through a malware variant called Banshee macOS Stealer.
Key Takeaways
- Banshee macOS Stealer targets browser credentials, cryptocurrency wallets, passwords, and personal files from 100 million Mac users.
- Malware evolved in September 2024 by mimicking Apple’s XProtect encryption algorithm to evade antivirus detection.
- Spread through fake GitHub repositories, phishing sites posing as Chrome and Telegram, and fake macOS system prompts.
- Originally sold for $3,000 as stealer-as-a-service on dark web forums, later reduced to $1,500.
- Source code leaked in November 2024, creating risk of new variants despite improving detection capabilities.
How Mac verified apps hijacked attacks actually work
The attack chain is deceptively simple. Attackers obtain or steal legitimate developer signing keys—the cryptographic credentials that Apple uses to verify software authenticity. Once they possess these keys, they can sign malicious code with a trusted developer’s identity, making Banshee appear as a legitimate, verified application to macOS security systems. The operating system sees the correct signature and allows execution, bypassing Gatekeeper and other initial security gates.
Distribution happens across multiple vectors. Fake GitHub repositories mirror popular software projects, complete with artificially inflated star counts and positive reviews to appear credible. Phishing websites impersonate official portals for Chrome, Telegram, and other widely used tools. When users download from these sources, they receive Banshee instead of the expected application. Fake macOS system prompts—designed to look identical to legitimate Apple dialogs—trick users into revealing their passwords, which Banshee then captures.
Once installed, Banshee exfiltrates stolen credentials to command-and-control servers using encrypted and encoded files, making network detection significantly harder. The malware specifically targets browser credentials stored in Safari, Chrome, and Firefox; cryptocurrency wallet information; login credentials for various services; and personal files that might contain sensitive data.
The September 2024 evolution changed the threat landscape
Banshee’s most dangerous update arrived in September 2024, when developers reverse-engineered Apple’s XProtect antivirus engine and stole its string encryption algorithm. They then integrated this legitimate Apple encryption into Banshee itself, allowing the malware to disguise its internal strings and processes to mimic legitimate Apple security operations. This is the critical vulnerability: antivirus tools looking for known malicious signatures find nothing because Banshee now speaks the same cryptographic language as Apple’s own security infrastructure.
This evolution represents a fundamental shift in how macOS-targeted malware operates. Rather than trying to hide from security tools, Banshee became invisible by adopting the appearance of legitimate security infrastructure. Months passed between the September update and widespread detection, meaning infected machines silently exfiltrated data while appearing completely clean to standard security scans.
Apple’s security tools versus the hijacked verified apps threat
macOS includes multiple layers of defense: XProtect scans files for known malware signatures, Gatekeeper verifies code signatures and developer identity, and Sandboxing restricts what applications can access. These tools work well against unsigned or poorly signed malicious code. However, when attackers possess legitimate developer keys, Gatekeeper sees a valid signature from a trusted source and allows execution. Sandboxing can be bypassed through social engineering (users granting permissions to fake system dialogs) or through vulnerabilities in the sandbox implementation itself.
The critical weakness is that Apple’s security model fundamentally trusts developer keys. Once those keys are compromised, the entire chain of trust collapses. XProtect’s own encryption algorithm, now weaponized inside Banshee, becomes a tool for evasion rather than detection. This is not a flaw in individual security tools but rather a structural vulnerability in how code signing and verification work when the underlying credentials are stolen.
Windows users faced similar campaigns with Lumma Stealer
The same threat actors ran parallel campaigns targeting Windows machines using Lumma Stealer across three separate waves. While the malware families differ, the attack methodology remains consistent: fake GitHub repositories, phishing portals, and stolen credentials as the primary distribution vectors. This cross-platform approach suggests organized cybercriminal infrastructure with resources to maintain campaigns against both major desktop operating systems simultaneously.
What happened after the source code leaked
In November 2024, Banshee’s source code leaked into online forums and dark web marketplaces. Counterintuitively, this leak improved antivirus detection—security researchers could now analyze the actual code and create more precise signatures. However, the leak also created a dangerous secondary risk: other threat actors can now study the code, modify it, and create new variants that might bypass existing detection methods. The source code is now a blueprint for future malware development.
FAQ
How can I tell if my Mac has been infected with Banshee?
Banshee is designed to operate silently without obvious system symptoms. Standard antivirus scans may miss it if your definitions were not updated after September 2024. Check for unexpected password changes, unauthorized access to cryptocurrency wallets, or suspicious login alerts from online services. If you downloaded software from GitHub or unofficial sources recently, assume potential exposure and change all passwords immediately.
Should I disable code signing verification on my Mac?
No. Code signing verification exists for exactly this reason—to prevent unsigned or maliciously signed code from running. Disabling it would expose your system to far more threats. Instead, download software only from official sources: the Mac App Store, official company websites, or verified GitHub repositories with established track records and community verification.
Does antivirus software protect against Mac verified apps hijacked attacks?
Modern antivirus tools help, especially those updated after November 2024 when Banshee’s source code leaked and improved detection became possible. However, antivirus is not foolproof—it relies on known signatures and behavioral analysis. The best defense remains user vigilance: verify download sources, watch for fake system prompts asking for passwords, and keep your operating system fully updated.
The Banshee threat demonstrates that Apple’s security model, while strong, depends critically on the integrity of developer credentials. For users, this means trusting official distribution channels and remaining skeptical of any software download, no matter how legitimate it appears. For Apple, it signals the need for additional security layers beyond code signing verification—perhaps hardware-backed developer authentication or stricter controls over who can obtain signing keys. Until that changes, Mac users remain in a vulnerable position where verified apps are only as trustworthy as the developers who sign them.
This article was written with AI assistance and editorially reviewed.
Source: Tom's Guide
