No operating system is immune to threats. It may be a surprise to some, but we are used to seeing malware on macOS. However, the majority of samples observed in the wild have managed to bypass Apple’s device protections either through the use of social engineering techniques or the exploitation of vulnerabilities in applications already installed on the device.
What is unique about the situation with 3CXDesktopApp, the app by company 3CX which claims its products are used by more than 600,000 companies, is that the developer’s build process was compromised and produced signed code containing malicious components, thus allowing the malware to masquerade as a legitimate app and to be distributed as part of the typical app update process, putting all current customers at risk. The trust gained by appearing as the legitimate app was so convincing that some 3CX forum posts suggested the alerts from various endpoint security products were false positives.
Jamf’s own analysis shows macOS clients communicating with infrastructure associated with the malware attack. We are advising our customers to immediately remove impacted apps, ensure new installations are blocked and immediately implement blocks on outbound connections to the known-bad domains.