How Did Malware Get Past Apple's Notarization System?

For years, Mac users have had the advantage of dealing with a lot less malicious software than those using Windows. Earlier this year, Apple started notarizing all macOS applications to try and filter out malicious apps. Due to this process, the company had mistakenly approved adware called Shlayer, which has affected as much as 10% of Apple devices.

How Did Malware Get Past Apple's Notarization System?
Downloaded from Getty Images

Just like other adware, Schlayer inserts ads into search results in macOS devices. It remains unknown how the adware was not detected as illegitimate by Apple's notarization program and has been affecting devices for up to seven months.

Peter Dantini, a college student, had first detected the notarized version of the app while using Homebrew, a development tool for Mac users. After mistyping the wrong URL for the website he intended to go on, he was repeatedly redirected to a fake page indicating an Adobe Flash update.

Fully aware of what he encountered, Dantini downloaded the app intentionally to discover what kind of malware had popped up. Despite the new notarization standards of Apple, macOS gave the typical warning of internet downloads yet his device did not block the program from running.

Since the malware appeared notarized, he contacted Patrick Wardle, a macOS security researcher. Oddly, the adware Dantini came across was nearly identical to previous versions.


Evolving Malware

Wardle, who works at Jamf, had expected the abuse of Apple's notarization system to 'be something more sophisticated or complex.' However, he was not surprised that adware was the first kind to successfully cheat the system.

'Adware developers are very innovative and constantly evolving because they stand to lose a ton of money if they can't get around new defenses,' explained Wardle. 'Notarization is a death knell for a lot of these standard ad campaigns because even if the users are tricked into clicking and trying to run the software, macOS will block it now.'

Apple was notified regarding Schalyer on August 28 and its notarization certificates were revoked within the day. Two days later, Wardle noticed that the adware campaign was still active and notarized with a different Apple Developer ID. Apple was notified about the updates.

'Malicious software constantly changes, and Apple's notarization system helps us keep malware off the Mac and allow us to respond quickly when it's discovered,' Apple shared in a statement. 'Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates.'

Read Also: Apple Says Special iPhones for Hackers Will Soon Be Available in the Market

Trusting Apple

Apple also reminded users that the App Review is not the same as a notarization. The company's 'notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to' users efficiently.

Thomas Reed of Malwarebytes had been wanting to prove that Apple's notarization system was not effective. He'd been considering to create malware that would pass the notarization process to back up his belief.

He also noted that new malware has been evolving due to the notarization requirements. One way to cheat the system is by guiding users in a process to get around Apple warnings. Reed also shared that an antivirus would be able to detect the notarized Shlayer.

Wardle shared that detecting malicious software is difficult and notarization is, in general, a good security step. 'The average user is going to trust Apple,' he said, 'So if something says it's notarized, even a security-conscious user is more likely to trust that it's OK.'

Read Also: Fall Release: Apple WatchOS 7 Features New Metrics to Monitor Fitness Levels

Read also:

Join the Discussion

Recommended Stories

Real Time Analytics