A well-known researcher says Apple has “notarized” a notorious piece of Mac malware, letting it sail right past Apple’s built-in defenses.
According to Wired, the Apple notary service is an automated system on recent macOS versions that scans software (ranging from macOS apps, kernel extensions, disk images and installer packages) for malicious content and checks for code-signing issues. Then, when a macOS user installs the software, Apple’s Gatekeeper security feature notifies them about whether any malicious code was detected before they open it.
Security researchers Peter Dantini and Patrick Wardle recently discovered that Apple inadvertently notarized malicious payloads that were utilized in a recent adware campaign, as the well-known Shlayer adware Trojan has now evolved to include an Apple notarization stamp. This means a modern Mac can install it, and worse, lets Mac users know that Apple has inspected it and approved it.
“Unfortunately a system that promises trust, yet fails to deliver, may ultimately put users at more risk,” said Wardle in an analysis. “How so? If Mac users buy into Apple’s claims, they are likely to fully trust any and all notarized software. This is extremely problematic as known malicious software (such as OSX.Shlayer) is already (trivially?) gaining such notarization.”
Shlayer pretends to be an Adobe Flash update, but if you install it, it pops up a tons of ads, changes your web browser’s search engine and downloads more programs. It’s the most common serious threat that Mac users currently face — Kaspersky estimates that one out of every 10 Macs worldwide encountered Shlayer in 2019.
“What does this mean?” Wardle wrote. “These malicious payloads were submitted to Apple, prior to distribution. Apple scanned and apparently detecting no malice, (inadvertently) notarized them.
“Now notarized, these malicious payloads are allowed to run … even on macOS Big Sur. Again, due to their notarization status, users will (quite likely), fully trust these malicious samples.”
On Friday, Wardle reported the notarized malware to Apple, which quickly revoked the developers’ certificates, and Gatekeeper no longer allowed their installation. Soon after that, however, the same group of attackers somehow released a new, notarized package — which Apple confirmed has been banned as well.
“Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allows us to respond quickly when it’s discovered,” Apple said in a statement. “Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe.”