While Apple’s devices are typically more secure than the competition, that doesn’t mean they’re immune to flaws. In the case of the Mac, a new report highlights how Apple accidentally approved one of the most common malware threats to run on recent versions of macOS. While the original flaw was quickly fixed, another similar one has popped up.
iOS is more locked down and naturally more secure than Mac overall because all apps need to be downloaded through the App Store. In contrast, Mac users can download apps from the App Store as well as anywhere on the internet.
Even though Mac apps downloaded outside of the App Store don’t go through the same review process, Apple still requires them to be notarized (as of last year), which puts software through a security review looking for things like malicious code. When approved, that gives the green light to the macOS Gatekeeper feature that an app is safe to run.
Reported by TechCrunch, security researchers Peter Dantini and Patrick Wardle discovered that Apple accidentally notarized a popular malware hiding inside a Flash Player update. Notably, the “Shlayer” malware was deemed by Kaspersky as the most likely threat for a Mac to experience in 2019.
Wardle confirmed that Apple had approved code used by the popular Shlayer malware, which security firm Kaspersky said is the “most common threat” that Macs faced in 2019. Shlayer is a kind of adware that intercepts encrypted web traffic — even from HTTPS-enabled sites — and replaces websites and search results with its own ads, making fraudulent ad money for the operators.
Wardle believes this is the first time malware like this was mistakenly approved by Apple during the notarization process and it affects recent macOS versions, even the Big Sur beta.
Wardle said that means Apple did not detect the malicious code when it was submitted and approved it to run on Macs — even on the unreleased beta version of macOS Big Sur, expected out later this year.
After Dantini and Wardle discovered the malware, Apple fixed the issue on August 28th. The security threat of this adware looks to be relatively low but of course, is still something Apple wants to prevent.
In a statement, a spokesperson for Apple told TechCrunch: “Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allow us to respond quickly when it’s discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe.”
However, the cat and mouse game continues, as Wardle detailed on his blog:
As noted, Apple (quickly-ish) revoked the Developer code-signing certificate(s) that were used to sign the malicious payloads. This occurred on Friday, Aug. 28th.
Interestingly, as of Sunday (Aug 30th) the adware campaign was still live and serving up new payloads. Unfortunately these new payloads are (still) notarized:
He explained further:
Both the old and “new” payload(s) appears to be nearly identical, containing OSX.Shlayer packaged with the Bundlore adware.
However the attackers’ ability to agilely continue their attack (with other notarized payloads) is noteworthy. Clearly in the never ending cat & mouse game between the attackers and Apple, the attackers are currently (still) winning.