Apple appears to have inadvertently approved OSX.Shlayer malware as part of the security notarization process it has touted would boost user confidence that the Developer ID-signed software they distribute has the innovative tech giant’s seal of approval.
"While it is unclear “what the Shlayer folks did to get their malware notarized,” essentially Apple’s process “allowed known malware to pass through undetected, and to be implicitly vouched for by Apple,” Thomas Reed, director of Mac and mobile at Malwarebytes, said in a blog post.
“Either Apple was able to detect Shlayer as part of the notarization process, but breaking that detection was trivial, or Apple had nothing in the notarization process to detect Shlayer, which has been around for a couple years at this point,” Reed wrote.
Last week Twitter user Peter Dantini, who goes by the handle @PokeCaptain, discovered the website
homebrew.sh running a campaign leveraging adware payloads that were fully notarized, Mac security researcher Patrick Wardle, principal security researcher at Jamf and founder of Objective-See, detailed in a blog post.
OSX.Shlayer is “massively common,” and “known to be quite innovative,” so Wardle said comes as no surprise that the “insidious malware has continued to evolve to trivially side-step Apple’s best efforts.”
That Apple’s notarization system, which “promises trust, yet fails to deliver, may ultimately put users at more risk,” he said. “If Mac users buy into Apple’s claims, they are likely to fully trust any and all notarized software.”
Vetting of third-party software prompts cybercriminals to “throw everything possible to see what sticks” much as they do with phishing attacks, and when they find one that works, they use it,” said James McQuiggan, security awareness advocate at KnowBe4. “In this case, they most likely have tried hundreds of multiple malware applications, and to get through was a success for them. However, it was discovered and removed.”
But Wardle applauded Apple’s quick response. “To Apple’s credit, once I reported the notarized payloads, they were quick to revoked their certificates (and thus rescind their notarization status),” he said.