Apple Notarized Malware by Mistake, Hackers Ran it Through Third-Party Website
- Notarized apps should be safe on macOS
- Threat actors try to deploy “approved” malware
- Apple revoked certificates, but malware is still
Apple’s notarization system let a piece of malware into
the macOS ecosystem, allowing attackers to load aggressive adware onto devices
of people who were visiting a website.
macOS users believe Apple shelters them from malware. The
company often said that it has the most secure OS, which is true to some
degree. Moreover, the company has a notarization system for all new
applications. Without going through this system, in which Apple checks the
software before allowing it to run on the platform, the software can’t even
Twitter user Peter Dantini saw that the website
homebrew.sh (close in name with the official brew.sh) was running a very
aggressive adware campaign. Users will recognize these attempts when a website
tries to persuade users to get the latest Flash Player (actually a malware in
disguise), a piece of software that’s already phased out. If the user agrees to
install the software, macOS will not allow it to run because it’s not notarized.
Dantini informed security researcher Patrick Wardle about
the campaign and noticed that the software trying to run was notarized. This
means that it passed through Apple’s hands, making this the first (known)
example of notarized malware.
The software installs one of the most common malware on
macOS, named Shlayer, which deploys various aggressive adware. It’s not as
damaging as it could be, but the fact that Apple approved it raises serious
“As noted, Apple (quickly-ish) revoked the Developer
code-signing certificate(s) that were used to sign the malicious payloads,” said
Wardle. “This occurred on Friday, Aug. 28th. Interestingly, as of Sunday (Aug
30th) the adware campaign was still live and serving up new payloads.
Unfortunately these new payloads are (still) notarized.”
Uses should be wary of websites wanting to install any
software locally, no matter the platform. Also, having a security solution
installed on the device is always helpful.