Apple has always had some of the strictest guidelines to keep malware out of the app store, even if sometimes a malicious app slips through the network. But Apple took the toughest approach last year, requiring developers to submit their apps for security screening so they can run smoothly on millions of Macs. The process, which Apple calls “notarization,” scans the application for security issues and malicious content. If approved by the Mac, the built-in security verification software, Gatekeeper, allows the application to run. Apps that fail security checks are rejected and blocked from running. But security researchers say they have discovered the first Mac malware accidentally notarized by Apple, TechCrunch reported.
Twitter user Peter Dantini, in collaboration with Patrick Wardle, a renowned Mac security researcher, discovered a malware campaign disguised as an Adobe Flash installer. These campaigns are common and have been around for many years, even though Flash is rarely used these days, and most of them run non-notarized code that the Mac locks immediately upon opening.
But Dantini and Wardle discovered that one malicious Flash installer had code notarized by Apple and worked on a Mac.
Wardle confirmed that Apple has approved the code used by the popular Shlayer malware, which Kaspersky Security says is “the most common threat” faced by Mac computers in 2019. Shlayer is a form of adware that intercepts encrypted web traffic – even from HTTPS-enabled sites – and replaces websites and search results with its own ads, earning fraudulent advertising money for operators.
This means that Apple did not detect the malicious code upon submission and approved it to run on the Mac – even in the unreleased macOS Big Sur beta, expected later this year.
Apple recalled the notarized payload after Wardle approached the company, which prevented the malware from running on Mac in the future.
In a statement, an Apple spokesperson told TechCrunch: “Malware is constantly evolving, and Apple’s notarization system helps us keep malware out of our Mac and allows us to respond quickly when it is detected. Upon learning of this adware, we revoked the specified option, disabled the developer account, and revoked the associated certificates. We thank the researchers for their help in keeping our users safe”.