Apple has been historically very good at keeping malware out of its app store and continually improving its security protocols. Since February 2020, Apple notarizes all Mac software distributions outside of its Mac App Store. The developers must demonstrate that their products can run on macOS Catalina and not allow malware to get past Apple Security. However, a Malware maker gets past Apple Security.
MacOS Software development goes through a multi-stage approval process, with automation as the first step. The design scans software for code-signing issues and malicious components. Assuming the submitted code passes through this security checkpoint, the apps are put on the macOS Gatekeeper list, signifying the apps don’t pose a security risk.
While this process gives users greater peace of mind, it’s not bulletproof, as College Student Peter Dantini recently discovered. He found the distribution of notarized Shlayer adware installers through a variety of fake websites. These installers could run on any machine using macOS Catalina without being auto-blocked when they tried to launch.
The worst part about this is that since these installers bear Apple’s “seal of approval,” users are bound to trust them without question, which means that the malware developers’ payloads can spread like wildfire through the Apple ecosystem.
Legendary security researcher Patrick Wardle confirms all of the above and reported it to Apple direct. Apple took the reports from Mr. Wardle seriously, and with the immediate revocation of those certificates. Gatekeeper now will automatically block any installation attempts.
Unfortunately, it appears that the Shlayer campaign is still ongoing; the hackers have shifted gears and are now serving new payloads, notarized on the same day that Apple revoked the initial sample’s certificates. Still, a Malware Maker Gets Past Apple Security
As Patrick Wardle notes: “Both the old and ‘new’ payload(s) appears to be nearly identical, containing ‘OSX.Shlayer’ packaged with the Bundlore adware. However, the attackers’ ability to agilely continue their attack (with other notarized payloads) is noteworthy.
Clearly, in the never-ending cat & mouse game between the attackers and Apple, the attackers are currently (still) winning.”
Indeed. Best of luck to Apple, and if you’re a mac user, stay safe out there.