When might an Apple malware protection pose more user risk than none at all? When it certifies a trojan as safe even though it sticks out like a sore thumb and represents one of the biggest threats on the macOS platform.
The world received this object lesson over the weekend after Apple gave its imprimatur to the latest samples of “Shlayer,” the name given to a trojan that has been among the most—if not the most—prolific pieces of Mac malware for more than two years. The seal of approval came in the form of a notarization mechanism Apple introduced in macOS Mojave to, as Apple put it, “give users more confidence” that the app they install “has been checked by Apple for malicious components.”
The amount of Mac-specific malware remains negligible compared to other platforms (namely Windows). However, Mac malware is steadily on the rise and it is not just about the numbers anymore. Today a well thought-out and targeted malware can cause damage on an unprotected Mac. Scan with Malwarebytes for Mac. With Malwarebytes for Mac, you can run a Threat Scan whenever your computer is turned on. Scheduled scans are available for the Malwarebytes for Mac Premium and Trial versions. After a scan finishes, you have the option to view a detailed scan report. Open Malwarebytes for Mac. Apple-approved malware has arrived, leading experts to wonder if more is on the way. In a blog post, Patrick Wardle, Principal Security Researcher at Jamf, said malicious adware accidentally.
With the roll out of macOS Catalina, notarization became a requirement for all apps. Unless installed using methods not mentioned by Apple (more about that later), an unnotarized app will generate the following notice that says it “can’t be opened because Apple cannot check it for malicious software.”
Classic Shlayer... with one big difference
On Friday, college student Peter H. Dantini found that homebrew[.]sh—a knockoff of the legitimate homebrew site brew.sh—was pushing a fake Adobe Flash update and warning users that their current version lacked the latest security updates.
It was a classic Shlayer campaign that was similar to hundreds or thousands of previous ones that also used fake Flash updates to infect users with adware except for one key difference: the trojan had been notarized by Apple. Patrick Wardle, who is a security researcher at the macOS and iOS enterprise management firm Jamf, said he believes this is the first malware to receive the notarization “stamp of approval.”
Malware Software Mac
Wardle notified Apple on Friday of the erroneously notarized file, and the company quickly revoked the certification, a move that prevented the trojan from infecting up-to-date Macs. On Sunday, Wardle said, he found the site was serving new malicious payloads that were, once again, notarized by Apple.
“Unfortunately, a system that promises trust, yet fails to deliver, may ultimately put users at more risk,” Wardle wrote in a post. “How so? If Mac users buy into Apple’s claims, they are likely to fully trust any and all notarized software. This is extremely problematic as known malicious software (such as OSX.Shlayer) is already (trivially?) gaining such notarization!”
Antivirus provider Malwarebytes also weighed in, saying: “Unfortunately, it’s starting to look like notarization may be less security and more security theater.”
In defense of notarization
In a statement, Apple officials wrote: “Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allows us to respond quickly when it’s discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe.”
In Apple’s defense, the company has always been clear that the notarization is “an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly.” As such, Apple has never presented it as a comprehensive security check.
Another point in Apple's favor: at the time Dantini discovered the malware and reported it to Wardle, the sample had no detections on Virus Total, the Alphabet-owned malware scanning service that aggregates results from more than 60 AV providers. What's more, Google's Play store regularly admits malicious apps even though its bouncer service purportedly scans for nefarious activity.
And even when notarization prevents an app from being installed normally, it's not that hard to work around the mechanism. As shown in the screenshot below, courtesy of Malwarebytes, unnotarized versions of Shlayer have long presented marks with a custom background that instructed them to right-click on a disk image file, rather than double-click it as normal, and then select open.
With that the malware is installed.
Toothless... and a pain to useAt the same time, and as noted last year by Andrew Cunningham, now a freelance reviewer for Ars, notarization is a burden both for users and developers. Presumably Apple mandated it to augment previously introduced code-signing protections, which require developers to authenticate their apps with an Apple-issued cryptographic certificate. If the service made users safer, you might have a good case for saying that the inconvenience is worth it. It’s harder to make that argument if the new feature gives users a false sense of security.
Notarization looks especially toothless when it fails to detect this particular malware family. As Kaspersky Lab reported in January, Shlayer has been the top macOS threat for about two years and accounted for about 30 percent of all detections on the OS for 2019. Shlayer also goes well beyond the nuisance of adware. For instance, after using click-jacking techniques to trick users into installing a self-signed cryptographic certificate, the malware decrypts and reads all encrypted HTTPS traffic. It also harvests user IDs.
Apple’s goof is even harder to understand when it falls for files like those found on Friday and again on Sunday.
“It was a fake Flash player update... with the Adobe icon and all... that of course was not signed by Adobe,” Wardle told me in an online chat. “You'd have thought that's a big red flag that Apple would straight up just block anyways like, umm, anything that masquerades as ‘Flash' update ...yah, no, don't notarize that, as who cares what it does (i.e. what malware/adware it is), obv. it's fake/malicious.”
Updated to add sixth-to-last paragraph.
Subscribe to our Threatpost Today newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
Malware For Mac Books
Infosec Insider Post
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Mac Virus Scan
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.