For decades, Mac users needed to worry less about malware than their Windows counterparts, but in the last few years that has started to change. With the aim of combating growing threats such as adware and ransomware, in February, Apple began “notarizing” all macOS apps, a verification process designed to eliminate illegitimate or malicious apps. Even software distributed outside of the Mac App Store now needs to be notarized, otherwise users wouldn’t be able to run it without special workarounds. Seven months later, however, researchers discovered an active ad campaign attacking Mac users with the same old payloads – and the malware was fully notarized by Apple.
The campaign distributes the ubiquitous “Shlayer” adware, which in some ways has affected up to one in 10 macOS devices in recent years. The malware exhibits standard adware behavior, such as injecting advertisements into search results. It’s unclear how Shlayer slipped past Apple’s automated scans and checks to get legalized, especially since it’s virtually identical to previous versions. But this is the first known example of notarized malware for macOS.
Student Peter Dantini discovered the notarized version of Shlayer by going to the home page of the popular open source developer tool for Mac Homebrew. Dantini accidentally typed something slightly different from brew.sh, the correct URL. The page it landed on was repeatedly redirected to a bogus Adobe Flash update page. Curious about what malware he might find, Dantini downloaded it on purpose. To his surprise, macOS displayed its standard warning about programs downloaded from the Internet, but didn’t stop it from running the program. When Dantini confirmed he was notarized, he sent the information to Patrick Wardle, a longtime macOS security researcher.
“I expected that if someone abused the notarization system, it would be something more sophisticated or complex,” says Wardle, senior security researcher at management firm Mac Jamf. “But in a way, I’m not surprised that the adware did it first. Adware developers are very innovative and constantly evolving because they stand to lose a ton of money. if they can’t get around new defenses. And notarization is a death knell for a lot of those standard ad campaigns, because even if users are tricked into clicking and trying to run the software, macOS will now block it. “
Wardle notified Apple of the malware on August 28, and the company revoked the Shlayer notarization certificates the same day, sterilizing the malware wherever it was installed and for future downloads. On August 30, however, Wardle noticed that the adware campaign was still active and distributing the same Shlayer downloads. They had simply been notarized using a different Apple Developer ID, just hours after the company started working on revoking the original certificates. On August 30, Wardle informed Apple of these new releases.
Apple did not return a request for comment from WIRED before the deadline, but the company makes a distinction in its notarization materials between its more in-depth iOS “App Review” and this macOS app review.
“Notarization is not an app review,” the company wrote. “The Apple Notary Service is an automated system that scans your software for malicious content, checks for code signing issues, and returns the results to you quickly.”
Before Apple introduced notarization, malware developers simply had to pay $ 99 per year for an Apple Developer ID in order to be able to sign their software as legitimate. Any application not downloaded from the Mac App Store would trigger a warning when users tried to run it to make sure that programs downloaded from the internet were safe to use, but users could easily click on it. Notarization makes it much harder to deploy malware – or at least that’s the idea. Wardle says that based on his experience in submitting his own security tools for review, Apple’s initial self-check only takes a few minutes to issue an approval. Still, the bad actors are clearly sneaking around.