548/68 Thursday, December 25, 2025
A new macOS malware strain known as MacSync Stealer has been discovered masquerading as the installer for a chat application called zk-call, designed to appear legitimate. The installer is digitally code-signed and notarized by Apple, using a fraudulent Developer Team ID, allowing the operating system to treat it as trusted software. To further enhance its credibility, the attackers bundled an unusually large and unnecessary PDF file within the installer, inflating the file size to resemble that of a professional-grade application.
When the installer file zk-call-messenger-installer-3.9.2-lts.dmg is launched, embedded scripts execute silently in the background. Instead of acting immediately, the malware deliberately delays its malicious activity to reduce the likelihood of detection. It creates a log file named UserSyncWorker.log to track execution status, and if it detects that it has already run within the last 3,600 seconds (one hour), it refrains from performing further actions. This strategy minimizes abnormal behavior patterns that might trigger security alerts.
The primary target of MacSync Stealer is the login.keychain-db file, which stores users’ main credentials on macOS. The malware displays a fake system prompt asking the user to enter their macOS password to unlock the Keychain, then proceeds to exfiltrate the stored credentials. Although Apple has since revoked the malicious digital certificates, this incident highlights that Apple notarization alone does not guarantee safety. Users are strongly advised to exercise caution when downloading and installing software from unfamiliar sources, even when macOS does not display any security warnings.
Source https://hackread.com/macsync-stealer-mac-app-saved-passwords/
