Apple's automated notarization process mistakenly approved Mac malware
Security researchers have discovered that Apple's macOS app notarization process has mistakenly approved a piece of malware disguised as a Flash installer.
Apple mistakenly approves Mac malware in notarization.
Apple requires Mac app developers -- even those outside of the App Store -- to submit apps for notarization, which checks them for security issues and malicious code. If they don't pass notarization, apps will be blocked by Gatekeeper.
But macOS security researcher Patrick Wardle and Twitter user Peter Dantini have found that at least one piece of malicious code appears to slipped through Apple's safeguards.
On Friday, Dantini noticed that a Flash installer adware campaign actually featured malicious code that was notarized by Apple. The effect of that notarization is that the installer wouldn't be blocked by the built-in Gatekeeper security function. If a user clicked on it, the installer would simply run and deliver its payload on a system.
Wardle confirmed that the approved code contained within the malware has been used by the Shlayer adware, which has been said to be the top malicious threat to Mac users. Shlayer works by intercepting web traffic and replacing ads with its own, fraudulently making money for operators.
As he pointed out in his blog post, Wardle says that the approval is "a first." Apple, for its parts, has said that notarization isn't an app review. It's a much quicker and automated process that scans for malware or code-signing issues.
Basically, Apple's notarization process failed to detect the malicious code when it was submitted. In effect, the malware was approved to run on Mac devices -- even those running beta versions of macOS Big Sur.
Apple revoked the malware's notarization after Wardle reached out. In a statement to TechCrunch, Apple applauded Wardle's effort.
Apple mistakenly approves Mac malware in notarization.
Apple requires Mac app developers -- even those outside of the App Store -- to submit apps for notarization, which checks them for security issues and malicious code. If they don't pass notarization, apps will be blocked by Gatekeeper.
But macOS security researcher Patrick Wardle and Twitter user Peter Dantini have found that at least one piece of malicious code appears to slipped through Apple's safeguards.
On Friday, Dantini noticed that a Flash installer adware campaign actually featured malicious code that was notarized by Apple. The effect of that notarization is that the installer wouldn't be blocked by the built-in Gatekeeper security function. If a user clicked on it, the installer would simply run and deliver its payload on a system.
Wardle confirmed that the approved code contained within the malware has been used by the Shlayer adware, which has been said to be the top malicious threat to Mac users. Shlayer works by intercepting web traffic and replacing ads with its own, fraudulently making money for operators.
As he pointed out in his blog post, Wardle says that the approval is "a first." Apple, for its parts, has said that notarization isn't an app review. It's a much quicker and automated process that scans for malware or code-signing issues.
Basically, Apple's notarization process failed to detect the malicious code when it was submitted. In effect, the malware was approved to run on Mac devices -- even those running beta versions of macOS Big Sur.
Apple revoked the malware's notarization after Wardle reached out. In a statement to TechCrunch, Apple applauded Wardle's effort.
As Apple admits, malware constantly changes -- so it's likely that bad actors will again submit malicious payloads to Apple's notarization process. Wardle said that at least some of those payloads may get notarized."Malicious software constantly changes, and Apple's notarization system helps us keep malware off the Mac and allow us to respond quickly when it's discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe."
Comments
Believe it or not some web sites still use flash.
if code contains ‘flash’ or appname = ‘flash updater’ then do not approve
Still, wondering why the "no viruses" Mac has been having so many security holes lately.
"Interestingly, as of Sunday (Aug 30th) the adware campaign was still live and serving up new payloads. Unfortunately these new payloads are (still) notarized: Both the old and “new” payload(s) appears to be nearly identical, containing OSX.Shlayer packaged with the Bundlore adware."
"However the attackers’ ability to agilely continue their attack (with other notarized payloads) is noteworthy. Clearly in the never ending cat & mouse game between the attackers and Apple, the attackers are currently (still) winning. "
Because malicious coders are working much harder to infect the ecosystem with the users who actually buy stuff.
And when did Apple say the Mac has no viruses? They certainly haven't said it in the last five years, if ever.
The trick is to make it harder to infect the platform (in case you wondered why Apple is trying to get everything to run through an app store) and mitigate the damage they cause if they do slip through.
A good example of that is when Zoom installed a web server (a web server for cripes sake!) during the installation of the Zoom client. When Zoom was dragging its feet to remove it, Apple stepped in and issued a compulsory update that wiped it.
Mitigation.
Using the "so many security holes lately" argument as an implication of a general decline in quality is a classic example of the Availability Heuristic in action. It's a natural reaction for people to place greater emphasis on recently reported and/or frequently reported (or claimed) issues regardless of their actual statistical rate of occurrence. There is no question that the number of malware infections on the Windows platform is much greater than what has been seen on the Mac, for whatever reason. This amplifying effect is very prevalent with the reporting of crimes, as we see now with a number of Apple Store related robberies, or the perception of isolated lawlessness being conflated into a general increase in lawlessness or the indication of a broader trend.
This specific slip-up in the App Store vetting process is a genuine failure, and also a painfully ironic one considering Apple's stance on its customers using the deeply flawed Flash technology on Apple platforms. But yes indeed, it happened and Apple now has to scrape the stink off its shoes. There is obviously a nonzero failure rate inherent to Apple's notarization process and this is one that slipped through the cracks. People make mistakes and systems developed directly or indirectly by people make mistakes on behalf of their creators. Apple can probably drive down the failure rate - but by how much and at what cost? Only Apple can answer these questions.
Aren’t you looking to post that drivel on MacRumors or Slashdot? You’ll find your type over there.
Gimme a break.
No need to mention/discuss viruses, related to this article/malware.