Malware authors trick Apple into trusting malicious Shlayer apps


Level 85
Thread author
Honorary Member
Top Poster
Content Creator
Malware Hunter
Aug 17, 2014
The authors of the Mac malware known as Shlayer have successfully managed to get their malicious payloads through Apple's automated notarizing process.

Since February 2020 all Mac software distributed outside of its Mac App Store must be notarized by Apple to be able to run on macOS Catalina and above.

The notarization process requires developers to submit software they built for the macOS platform to be scanned through Apple's notary service, an automated system designed to scan submitted software for both malicious components and code-signing issues.

If they pass this automated security check, the apps are allowed by the macOS Gatekeeper — a macOS security feature that checks if downloaded apps have been checked for known malicious content — to run on the system.

As Apple describes this process, "f there’s ever a problem with an app, Apple can quickly stop new installations and even block the app from launching again."

Although the company says that notarizing macOS software is designed to give "users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components," as discovered by Peter Dantini last week, Apple was tricked into notarizing Shlayer malware samples.

He discovered notarized Shlayer adware installers being distributed through a fake and malicious Homebrew website, installers that could be executed on any Mac running macOS Catalina without being automatically blocked on launch.

This allowed the threat actors behind this adware campaign to deliver their payloads to systems where the installers would have been previously blocked.

Security researcher Patrick Wardle confirmed that these installers were indeed delivering Shlayer adware samples notarized by Apple, which means that they can also infect users running the company's latest macOS 11.0 Big Sur version.
Full report by researcher: Apple Approved Malware


Level 1
Nov 1, 2018
FOR DECADES, MAC users had to worry less about malware than their Windows-using counterparts, but over the last few years that's begun to change. In an attempt to crack down on growing threats like adware and ransomware, in February Apple began "notarizing" all macOS applications, a vetting process designed to weed out illegitimate or malicious apps. Even software distributed outside of the Mac App Store now needs notarization, or users wouldn't be able to run them without special workarounds. Seven months later, though, researchers have found an active adware campaign attacking Mac users with the same old payloads—and the malware has been fully notarized by Apple.

The campaign is distributing the ubiquitous "Shlayer" adware, which by some counts has affected as many as one in 10 macOS devices in recent years. The malware exhibits standard adware behavior, like injecting ads into search results. It's not clear how Shlayer slipped past Apple's automated scans and checks to get notarized, especially given that it's virtually identical to past versions. But it's the first known example of malware being notarized for macOS.

College student Peter Dantini discovered the notarized version of Shlayer while navigating to the homepage of the popular open source Mac development tool Homebrew. Dantini accidentally typed something slightly different than, the correct URL. The page he landed on redirected a number of times to a fake Adobe Flash update page. Curious about what malware he might find, Dantini downloaded it on purpose. To his surprise, macOS popped up its standard warning about programs downloaded from the internet, but didn't block him from running the program. When Dantini confirmed that it was notarized, he sent the information on to longtime macOS security researcher Patrick Wardle.

"I had been expecting that if someone were to abuse the notarization system it would be something more sophisticated or complex," says Wardle, principal security researcher at the Mac management firm Jamf. "But in a way I’m not surprised that it was adware that did it first. Adware developers are very innovative and constantly evolving, because they stand to lose a ton of money if they can't get around new defenses. And notarization is a death knell for a lot of these standard ad campaigns, because even if the users are tricked into clicking and trying to run the software, macOS will block it now."


About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.