- Aug 17, 2014
Full report by researcher: Apple Approved MalwareThe authors of the Mac malware known as Shlayer have successfully managed to get their malicious payloads through Apple's automated notarizing process.
Since February 2020 all Mac software distributed outside of its Mac App Store must be notarized by Apple to be able to run on macOS Catalina and above.
The notarization process requires developers to submit software they built for the macOS platform to be scanned through Apple's notary service, an automated system designed to scan submitted software for both malicious components and code-signing issues.
If they pass this automated security check, the apps are allowed by the macOS Gatekeeper — a macOS security feature that checks if downloaded apps have been checked for known malicious content — to run on the system.
As Apple describes this process, "f there’s ever a problem with an app, Apple can quickly stop new installations and even block the app from launching again."
Although the company says that notarizing macOS software is designed to give "users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components," as discovered by Peter Dantini last week, Apple was tricked into notarizing Shlayer malware samples.
He discovered notarized Shlayer adware installers being distributed through a fake and malicious Homebrew website, installers that could be executed on any Mac running macOS Catalina without being automatically blocked on launch.
This allowed the threat actors behind this adware campaign to deliver their payloads to systems where the installers would have been previously blocked.
Security researcher Patrick Wardle confirmed that these installers were indeed delivering Shlayer adware samples notarized by Apple, which means that they can also infect users running the company's latest macOS 11.0 Big Sur version.