Apple’s Automated Notarization Approves Malware For MacOS, Accidentally

Image source: Apple Inc.

Security researchers have found an active malware attacking MacOS users, and interestingly, the malware was fully notarized by Apple.

The malware was disguised as an update for Adobe Flash Player to run on MacOS.

The Malware, according to security researcher, Patrick Wardle, contained code used by a well-known malware called Shlayer.

Shlayer is a trojan downloader that spreads through fake applications. It bombard users with an influx of adware.

Shlayer also works by intercepting web traffic, and replacing ads with its own, fraudulently making money for its operators.

In a report by Apple Insider, Peter Dantini noticed that a Flash installer adware campaign featured malicious code that was notarized by Apple.

The effect of that notarization is that the installer wouldn’t be blocked by the built-in Gatekeeper security function. If a user clicked on it, the installer would simply run and deliver its payload on a system.

Peter Dantini, a college student, discovered the notarized version of Shlayer while navigating to the homepage of the popular open source Mac development tool Homebrew.

Peter had accidentally typed a web address different from the one he intended, and he was redirected to a number of fake Adobe Flash update page.

After intentionally downloading the malware, MacOS gave the standard warning, but did not block the program from running. He then forwarded the information to Apple’s Patrick Wardle.

According to the cybersecurity and antivirus company, Kaspersky, Shlayer is the most common threat faced by MacOS users.

Apple noted that malware constantly changes, so it is likely that bad actors will again submit malicious payloads to Apple’s notarization process.
Apple, however, revoked the malwares’s notarization, and disabled the developer’s account.

“Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allow us to respond quickly when it’s discovered.”

In a continued statement to TechCrunch, Patrick Wardle said:

“Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe.”

In a move to prevent adware and ransomware, Apple started a process of “notarizing” all macOS applications, a vetting process designed to weed out illegitimate or malicious apps.

The notarization is also extended to software distributed outside of the Mac App Store, or users wouldn’t be able to run them without special workarounds.

Leave A Reply

Please enter your comment!
Please enter your name here