What you need to know
- Apple inadvertently approved malware to run on macOS last year.
- That's according to security researchers.
- Apple did not detect malicious code in the software and approved it to run on Macs.
Apple inadvertently approved Mac malware that used notarized code last year, according to two security researchers.
Apple has some of the strictest rules to prevent malicious software from landing in its app store, even if on occasion a bad app slips through the net. But last year Apple took its toughest approach yet by requiring developers to submit their apps for security checks in order to run on millions of Macs unhindered.
Apple uses notarization to scan apps for security problems and malicious content. If approved, it means Apple's Gatekeeper software will allow the app to run. Two security researchers say that they have discovered the first instance of a malware campaign that used notarized, as opposed to unnotarized code, which means Apple missed malicious code in the app and approved its use on the platform:
Peter Dantini, working with Patrick Wardle, a well-known Mac security researcher, found a malware campaign disguised as an Adobe Flash installer. These campaigns are common and have been around for years — even if Flash is rarely used these days — and most run unnotarized code, which Macs block immediately when opened.
But Dantini and Wardle found that one malicious Flash installer had code notarized by Apple and would run on Macs.
The code used was a piece of malware called "Shlayer" which can intercept encrypted web traffic, replacing websites and search results to make money.
The blog report states that this means that the malicious payloads were sent to Apple before being distributed, upon which Apple scanned them and found no problems, inadvertently notarizing software that was actually malware. The blog notes that the payloads were allowed to run on macOS, even the Big Sur beta, where it was highly likely that because of the app's notarized status, users would have been trusting of the malware.
In a statement, an Apple spokesperson said:
"Malicious software constantly changes, and Apple's notarization system helps us keep malware off the Mac and allow us to respond quickly when it's discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe."
Since the discovery, the attackers created a new notarized payload which also bypassed the same system, which Apple has also intervened to block.