Patrick Wardle, director of research of security firm Synack, said the bypass stems from a key shortcoming in the design of Gatekeeper rather than a defect in the way it operates. Gatekeeper’s sole function is to check the digital certificate of a downloaded app before it’s installed to see if it’s signed by an Apple-recognized developer or originated from the official Apple App Store. It was never set up to prevent apps already trusted by OS X from running in unintended or malicious ways, as the proof-of-concept exploit he developed does.
[…]
Wardle has found a widely available binary that’s already signed by Apple. Once executed, the file runs a separate app located in the same folder as the first one. At the request of Apple officials, he and Ars have agreed to withhold the names of the two files, and instead will refer to them only as Binary A and Binary B. His exploit works by renaming Binary A but otherwise making no other changes to it. He then packages it inside an Apple disk image. Because the renamed Binary A is a known file signed by Apple, it will immediately be approved by Gatekeeper and be executed by OS X.
From there, Binary A will look for Binary B located in the same folder, which in this case is the downloaded disk image. Since Gatekeeper checks only the original file an end user clicks on, Wardle’s exploit swaps out the legitimate Binary B with a malicious one and bundles it in the same disk image under the same file name. Binary B needs no digital certificate to run, so it can install anything the attacker wants.
This modified Trojan Horse software still needs to be downloaded or copied, and then launched by the user. “This is merely a Gatekeeper bypass,” Wardle notes, although there are many ways in which less-sophisticated users are fooled into running software with uncertain origins. Many free and trial software can be found at download sites, and are repackaged with adware and other unreliable software.
But Wardell also notes that because this affects third-party signed apps, malware could be intercepted over unencrypted downloads by anyone who could insert themselves into a network connection. This could include criminals and governments.