North Korean hackers create Flutter apps to bypass macOS security
North Korean threat actors target Apple macOS systems using trojanized Notepad apps and minesweeper games created with Flutter, which are signed and notarized by a legitimate Apple developer ID.
This means that the malicious apps, even if temporarily, passed Apple's security checks, so macOS systems treat them as verified and allow them to execute without restrictions.
The app names are centered around cryptocurrency themes, which aligns with North Korean hackers' interests in financial theft.
According to Jamf Threat Labs, which discovered the activity, the campaign appears more like an experiment on how to bypass macOS security rather than a fully-fledged and highly targeted operation.
Starting in November 2024, Jamf discovered multiple apps on VirusTotal that appeared completely innocuous to all AV scans yet showcased "stage one" functionality, connecting to servers associated with North Korean actors.
All apps were built for macOS using Google's Flutter framework, which enables developers to create natively compiled apps for different operating systems using a single codebase written in the Dart programming language.
