This dangerous Mac malware was 'approved' by Apple: What to do [updated]

News
By Paul Wagenseil
published

Notorious Shlayer malware notarized by Apple's screening process will bypass Gatekeeper and install

best college laptops - macbook air
(Image credit: Future)

Updated with comment from Apple.

A well-known researcher says Apple has "notarized" a notorious piece of Mac malware, letting it sail right past Apple's built-in defenses.

Apple's software notarization is an automated screening process meant to detect malware. Anything suspicious gets rejected. Everything else can be installed on Macs running macOS 10.15 Catalina or 11.0 Big Sur, and the built-in Gatekeeper program will let it run.

But, said Mac-security researcher Patrick Wardle in a blog post yesterday (Aug. 30), the well-known Shlayer adware Trojan has now evolved to include an Apple notarization stamp. This means a modern Mac can install it, and worse, lets Mac users know that Apple has inspected it and approved it.

"In Apple's own words, notarization was supposed to 'give users more confidence that [software] ... has been checked by Apple for malicious components,'" Wardle wrote. 

"Unfortunately, a system that promises trust yet fails to deliver may ultimately put users at more risk," he added. "If Mac users buy into Apple's claims, they are likely to fully trust any and all notarized software."

To protect yourself from Shlayer and other forms of Mac malware (there's more of it than you might think), download and run one of the best Mac antivirus programs. Tom's Guide has reached out to Apple for comment, and we will update this story when we receive a reply.

Fake Adobe Flash update

Wardle was tipped off to this development Friday (Aug. 28) by fellow researcher Peter Dantini, who noticed that a Shlayer variant served up by a fake Mac developer site was given the green light by Gatekeeper when Dantini tried to install it on his own Mac.

Shlayer pretends to be an Adobe Flash update, but if you install it, it pops up a tons of ads, changes your web browser's search engine and downloads more programs. It's the most common serious threat that Mac users currently face -- Kaspersky estimates that one out of every 10 Macs worldwide encountered Shlayer in 2019.

Normally, if you try to install an un-notarized application in Catalina, Gatekeeper will pop up a window stating that the app "cannot be opened because the developer cannot be verified." 

Your only options presented are to cancel the installation or move the installer file to the Trash. (There are ways around Gatekeeper, as another variant of Shlayer had already found .)

Why the attackers are winning

That didn't happen with this version of Shlayer. Dantini dug into the code and found that it had been accepted by Apple's notarization process at least twice. 

"What does this mean?" Wardle wrote. "These malicious payloads were submitted to Apple, prior to distribution. Apple scanned and apparently detecting no malice, (inadvertently) notarized them. 

"Now notarized, these malicious payloads are allowed to run ... even on macOS Big Sur. Again, due to their notarization status, users will (quite likely), fully trust these malicious samples."

On Friday, Wardle reported the notarized malware to Apple, which quickly revoked the developers' certificates, and Gatekeeper no longer allowed their installation. 

But on Sunday, Wardle saw that the campaign was still running -- with a new developer ID and new Apple stamp of approval.

"Clearly, in the never ending cat & mouse game between the attackers and Apple," Wardle concluded, "the attackers are currently (still) winning. 😢"

This looks bad

How did the bad guys do this? It's not really clear, but they seem to have gamed Apple's automated notarization system to bypass whatever checks exist. 

"Nobody really understands exactly how notarization works, and Apple is not inclined to share details," wrote Malwarebytes security expert Thomas Reed in a blog post today (Aug. 31). 

"I've personally notarized software quite a few times at this point, and it usually takes less than a couple minutes between submission and receipt of the e-mail confirming success of notarization," he added. 

"That means there's definitely no human intervention involved in the process, as there is with App Store reviews. Whatever it is, it's solely automated."

Reed took a look at old Shlayer code and the new Shlayer code that Apple had notarized, and couldn't find much difference between the two.

"This leaves us facing two distinct possibilities, neither of which is particularly appealing," he wrote. 

"Either Apple was able to detect Shlayer as part of the notarization process, but breaking that detection was trivial, or Apple had nothing in the notarization process to detect Shlayer, which has been around for a couple years at this point."

Update: Apple comment

Apple responded to our query with this statement, in full:

"Malicious software constantly changes, and Apple's notarization system helps us keep malware off the Mac and allow us to respond quickly when it's discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe."

Also, we've learned that the Apple developer ID being used by the malware yesterday has now been revoked.

Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.