Apple approved nasty Shlayer malware that mimicked Adobe Flash Player update for macOS.
Security researcher Patrick Wardle reports that Apple accidentally approved an app for its macOS that contained what Kaspersky regarded as the biggest threat to Macs in 2019, a trojan downloader called Shlayer. It has the capability of spreading via fake applications and bombards the device with adware.
macOS is considered a secure operating system when compared to Windows. However, lately, the number of malware campaigns targeting macOS increased considerably, prompting Apple to mitigate the threat through notarization.
Apple introduced notarization in macOS 10.15 (Catalina) to make it mandatory for every app to be evaluated by Apple and signed by a developer before it runs on macOS, even if it is distributed outside of the App Store.
It seems like some adware can bypass this process as well which reminds us of Google Play Store and how its Play Protect fails to identify malware every now and then. On the other hand, macOS blocks all Non-notarized software which Wardle believes was a promising idea that went wrong.
“With the goal of stymieing the influx of malicious code targeting macOS, notarization seemed like a promising idea. Sadly, not all promises are kept,” Wardle said in a blog post.
According to Wardle, who has worked with the NSA and NASA, Apple mistakenly notarized the insidious OSX.Shlayer malware, the primary goal of which is to download and install adware by bypassing macOS security mechanisms.
Wardle further noted that the malware also sent several malicious payloads before distribution to macOS users and scanned by Apple. The iPhone maker didn’t detect any malice and notarized them.
Surprisingly, Apple allowed them to run not only on Catalina but BigSur as well. This is the first time that hackers have successfully abused Apple’s new notarization process, claims Wardle.
Though adware campaigns aren’t as lethal as malware scams, however, these are still dangerous. Security researcher Thomas Reed of Malwarebytes writes that PUPs and adware campaigns are much more invasive and a more significant threat for Mac devices than any other malware.
That’s because these can “intercept and decrypt all network traffic, create hidden users with static passwords, make insecure changes to system settings, and generally dig their roots deep into the system so that it is incredibly challenging to eradicate completely,” explained Reed.
Wardle urges users not to trust all the software notarized by Apple and reported his findings to Apple, which revoked the certificates and rescinded their notarization status to prevent malicious payloads from running on macOS.
Nevertheless, what’s worse for Apple users is that the campaign was still active and serving new payloads on BigSur till August 30th, 2020. Apple released a statement addressing the issue that read:
“Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allows us to respond quickly when it’s discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates.”