Apple isn't sharing malware definitions with third-party antivirus firms, new analysis suggests

By Roger Fingas

A fresh look at malware intended to spy on people in the Middle East indicates that Apple isn't sharing definitions of existing threats with third-party antivirus (AV) companies, at least not consistently.

In publishing an analysis of "Meeting_Agenda.zip," a file containing the malware, Mac security specialist Patrick Wardle noted that only two antivirus providers, Kaspersky and ZoneAlarm, were able to properly flag it. Searching for related files on VirusTotal -- a site commonly used by security professionals -- Wardle uncovered four more, but three weren't detected by any AV platforms and the last was caught by just two.

"The fact that the signing certificate(s) of all the samples are revoked (CSSMERR_TP_CERT_REVOKED) means that Apple knows about this certificate... and thus surely this malware as well...yet the majority of the samples (3, of 4) are detected by zero anti-virus engines on VirusTotal," Wardle wrote.

Based on this, it's believed that Apple isn't sharing data according to standard industry practices. macOS has had its own anti-malware defenses since an update to 2009's Snow Leopard, but providing definitions to third parties increases the chances of catching and killing code, preventing its spread.

The malware analyzed by Wardle is neutered, Ars Technica commented, as even if a Mac is infected the control servers the software tries to reach are no longer online. When it was active, it would attempt to bypass macOS defenses to steal documents or screenshots for a group known as Windshift.