Oh, no! Apple accidentally approved malware to run on macOS.
Mac users can download apps both from the App Store and the internet. And that makes them susceptible to malware attacks. So, to protect users, Apple implemented a vetting process. Apple calls it Notarization.
Did notarization fail to stop malware?
Notarization assures that all software is checked and free of any malicious content. Hence, they are safe to run. This process requires developers to submit an application first to Apple. Only after it is notarized can the app be distributed. If it is not authorized, macOS will block it.
Security researchers have discovered that Apple accidentally notarized a malious software. That malware is called Shlayer. A TechCrunch report said that Shlayer disguises itself as an Adobe Flash installer that runs an unnotarized code. That should not be a concern, because Macs should be able to block it. However, they discovered that one installer was able to get Apple notarization. And that allowed it to run on Macs.
Peter Dantini made the discovery while navigating the website of an open-source development tool. Apparently, he entered an incorrect URL, instead of brew.sh. It turns out that website, where he was lead, was hosting an adware campaign. It then redirected him to a fake Adobe Flash page. What he did was to download the update on purpose to see what he could find. To his surprise, macOS allowed him to run the program. He then notified macOS security researcher Patrick Wardle about what he discovered.
So, what exactly is Shlayer?
Shlayer is a malware that behaves much like adware. It intercepts secured web traffic and injects its own ads. Security company Kaspersky described Shlayer as 2019's most common threat on the macOS platform. The report said the malware accounts for 30 percent of all detections for macOS.
In his blog, Wardle confirmed that it was a first for macOS. So, what happened to the notarization? He explained that these malicious payloads were submitted to Apple. Prior to distribution, they were scanned and inadvertently got notarized. And since they are notarized, they were allowed to run, even on macOS Big Sur.
Wardle made the issue known to Apple. The company acted by revoking its notarization certificates. That disabled the malware wherever it may have been installed, as well as any future downloads. So, that would be the end of it, right? Not necessarily so, according to a Wired report.
On August 30, Wardle found that the adware campaign is still active. And it is distributing the same malware downloads. Why is this so? He explained that these were notarized using a different developer ID. That then enabled attackers to work its way around Mac's security again. He already notified Apple about it and the company has taken action.
Malwarebytes' Thomas Reed said that he wasn't surprised by this. He said it is proof that Apple's notarization is not effective. Reed also warned that he sees Mac malware evolving just to get around the notarization process.