Security researcher Patrick Wardle looked closely at how to remotely target macOS users using document handlers and custom URL schemes behind the "Do you want to allow" popup in the screenshot above It is.
Sylvania Home Kit Light Strip
Wardle explains how custom APT can exploit the URL scheme and remotely infect macOS targets
In macOS, applicatis can "advertise" that they can support (or "process") various document types and custom URL schemes. Csidering it as an applicati, "When the user tries to open a document of type foo Or bar all right! "
You certainly encountered this with macOS. For example, if you double-click a .pdf Document Preview.app It is launched to process the document. In the browser, when you click the link to the applicati the Mac App Store, App Store.app It is invoked to handle that request.
Wardle will drill down deeply how these schemes are set from a development perspective and then csider how to target Mac users remotely using custom URL schemes.
Since Apple permits automatic downloading and decompressi of "safe" files, users access malicious websites and .zip files are automatically downloaded. This zip ctains the malicious applicati in questi. From there a custom URL scheme is created:
When the target accesses Google's malicious website, downloading of the archive is started (.zipIt is stored in the file. When using Mac users SafariAchievement Automatically Apple thinks it is prudent to open a "safe" file automatically, so it is unpacked. This fact is most important because it means that a malicious applicati (compressed zip archive ly) exists the user's file system.