This dangerous Mac malware was "approved" by Apple: What to Do [Update]

This dangerous Mac malware was "approved" by Apple: What to Do [Update]

Updated with comments from Apple.

According to one well-known researcher, Apple has notoriously "notarized" Mac malware, allowing it to bypass Apple's built-in defenses.

Apple's software notarization is an automated screening process to detect malware. Anything suspicious is rejected; a Mac running macOS 10.15 Catalina or 11.0 Big Sur can have everything else installed and have the built-in Gatekeeper program run it.

However, Mac security researcher Patrick Wardle said in a blog post yesterday (August 30) that the well-known Shlayer adware Trojan has now evolved to include Apple's notarized stamp. This means that the latest Macs can install it and, even worse, let Mac users know that Apple has inspected and approved it.

"In Apple's own words, the notary stamp is intended to 'give users confidence that [the software] has been checked for malicious components by Apple,'" Wardle wrote.

"Unfortunately, a system that promises trust but fails to deliver may ultimately put users at greater risk. Mac users are more likely to fully trust any notarized software if they believe Apple's claims."

To protect yourself from Shlayer and other forms of Mac malware (there are more than you think), download and run one of the best Mac antivirus programs. Tom's Guide has reached out to Apple for comment and will respond and update this article as soon as possible. [He noticed that a variant of Shlayer, provided by a fake Mac developer site, was allowed by Gatekeeper when Dantini tried to install it on his Mac.

Shlayer pretends to be an update to Adobe Flash, but when installed, it displays a large number of ads, changes the search engine of the web browser, and downloads more programs. Kaspersky estimates that one in ten Macs worldwide encountered Shlayer in 2019.

Typically, when attempting to install an unauthorized application on Catalina, Gatekeeper pops up a window that says, "The app cannot be opened because the developer cannot be verified." [The only option is to cancel the installation or move the installer file to the Trash. (In this case, the only option is to cancel the installation or move the installer files to the Trash (another variant of Shlayer has already found a way around Gatekeeper).

This was not the case with this version of Shlayer. Dantini examined the code and found that it had been approved by Apple's notarization process at least twice.

"What does this mean?" Wardle writes. "These malicious payloads were submitted to Apple prior to distribution. Apple scanned them, detected their apparent lack of malicious intent, and (inadvertently) notarized them.

"Once notarized, these malicious payloads were also able to run on macOS Big Sur. Again, because of their notarized status, users will (presumably) have full confidence in these malicious samples.

On Friday, Wardle reported the notarized malware to Apple, which immediately revoked the developer's certificate. [However, on Sunday Wardle saw that the campaign was still running with a new developer ID and a new Apple stamp of approval.

"Clearly, in the never-ending cat-and-mouse game between the attacker and Apple, the attacker is now (still) winning," Wardle concluded.

How did the bad guys do this? It is not clear, but it appears that they used Apple's automated notarization system to bypass whatever checks they could.

"No one understands exactly how notarization works, and Apple is reluctant to share details," Malwarebytes security expert Thomas Reed wrote in a blog post today (August 31).

"I have personally notarized software quite a few times at this point, and it usually takes no more than a few minutes from submission to receiving an email confirming successful notarization," he added.

"In other words, there is definitely no human intervention, as the App Store reviews suggest. Whatever it is, it is completely automated."

Reed looked at the old Shlayer code and the new Shlayer code notarized by Apple and found no significant differences between the two.

"This leaves us facing two different possibilities, neither of which is particularly appealing," he wrote.

"Either Apple was able to detect Shlayer as part of the notarization process and breaking that detection was trivial, or Apple had nothing in its notarization process to detect Shlayer.

Apple responded to our inquiry in full this way:

"Malicious software changes constantly, and Apple's notarization system helps keep malware off of Macs and responds quickly when it is detected. Upon learning of the presence of this adware, we disabled the identified variants, disabled the developer accounts, and revoked the associated certificates. We thank the researchers for their help in keeping our users safe.

We also learned that the Apple developer ID used by the malware yesterday has now been revoked.

.

Categories