Apple's Notarization Process Repeatedly Approved Malware for Mac

[MacRumors]

Apple mistakenly approved and notarized a common kind of malware for macOS on at least two occasions, reports TechCrunch.

Apple requires developers to submit their apps for security checks to run on macOS in a process called "notarization." Notarization was required from the launch of macOS Catalina. If software has not been notarized, it will be blocked by default in macOS.

Peter Dantini and security researcher Patrick Wardle at Objective-See report that they have found the first malware for Mac that has been successfully notarized by Apple, even for the latest beta version of macOS Big Sur. The notarized malware was disguised as an Adobe Flash installer, which is an oft-used technique to convince unknowing users to install a trojan.

It contained "Shlayer" malware, which is said to be the "most common threat" to Macs in 2019. Shlayer is a kind of adware that intercepts encrypted web traffic, even from securely-encrypted HTTPS-enabled websites, and replaces it with its own ads to raise fraudulent ad revenue.

The researchers believe that Apple cannot have detected the malicious code when it was submitted for approval. The discovery is particularly surprising, given that the malware and its vehicle are extremely common. Upon notification from the researchers, Apple revoked the notarization.

"Malicious software constantly changes, and Apple's notarization system helps us keep malware off the Mac and allow us to respond quickly when it's discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe," an Apple spokesperson told TechCrunch.

In spite of Apple's statement, the researchers reported that the bad actors were able to get yet another malware trojan notarized soon after. The second notarized payloads were still approved by Apple as of yesterday.

Earlier this month, a new kind of Mac malware was discovered that infects via Xcode and supposedly can infiltrate the Mac App Store, undetected by Apple.

Article Link: Apple's Notarization Process Repeatedly Approved Malware for Mac

 

[DoctorTech]

Any way to detect if you have either of these pieces of malware on your computer? I run Malwarebytes on my computer but I am sure it is not 100% effective.

 

[BigMcGuire]

Patrick Wardle at Objective-See --- This guy is doing a lot of great work. I run several of his apps. Very cool!

 

[ouimetnick]

Just another reason why we should be allowed to install 3rd party apps on iOS with out the App Store. Just because Apple approves the app (I know it’s for macOS in this particular article) doesn’t mean it’s guaranteed to be safe.

 

[ArtOfWarfare]

The victim isn't really the owner of the Mac, but the owner of the website if this malware is present...

All that's happening is the Mac gets different ads than it should.

 

[FNH15]

Just another reason why we should be allowed to install 3rd party apps on iOS with out the App Store. Just because Apple approves the app (I know it’s for macOS in this particular article) doesn’t mean it’s guaranteed to be safe.

But third party apps are available for MacOS, and that's part of the attack vector here.

If one want to run their own apps outside of the App Store, then use Android. I never understood the desire to basically turn an iPhone into an Android device. Part of the appeal is the safety net afforded to iOS by the App Store...

 

[larrylaffer]

Apple's gatekeeping here must be truly awful. These people disguised their software as coming from one of the world's biggest software vendors, and it still made it through?

 

[Ritsuka]

Just another reason why we should be allowed to install 3rd party apps on iOS with out the App Store. Just because Apple approves the app (I know it’s for macOS in this particular article) doesn’t mean it’s guaranteed to be safe.

This is a totally different case. "Notarization" is just Apple running an automated malware scan on the apps, it's not a manual review by an actual person.

 

[bollman]

IIRC, the notarization is completely automatic, sort of running the code through an anti-virus software, no humans are involved. That process can get no better than the database of threats that it scans for.
Bad Apple for not keeping it sufficiently updated, but nothing more.

 

[AAPLGeek]

Big Sur UI is still garbage

 

[xpxp2002]

The victim isn't really the owner of the Mac, but the owner of the website if this malware is present...

All that's happening is the Mac gets different ads than it should.

Not necessarily. If the malware is capable of doing MITM (and it is), then there's no reason that this malware couldn't be harvesting credentials and sending them back to its mothership.

 

[Expos of 1969]

Apple's gatekeeping here must be truly awful. These people disguised their software as coming from one of the world's biggest software vendors, and it still made it through?

Nobody in the flying saucer in Cupertino is working. They are all staring glassy eyed and drooling at their screen stock ticker. Present day Neros fiddling...

 

[destroyer2012]

Anyone recommend a good solution for finding this types of things and removing them? I'm unsure where to start for virus removal

 

[ouimetnick]

But third party apps are available for MacOS, and that's part of the attack vector here.

If one want to run their own apps outside of the App Store, then use Android. I never understood the desire to basically turn an iPhone into an Android device. Part of the appeal is the safety net afforded to iOS by the App Store...

But the safety net isn’t 100% effective. It it fails to work 100% for macOS, what’s to say malware doesn’t make it onto iOS or iPadOS?

 

[iBluetooth]

Just another reason why we should be allowed to install 3rd party apps on iOS with out the App Store. Just because Apple approves the app (I know it’s for macOS in this particular article) doesn’t mean it’s guaranteed to be safe.

Nobody can guarantee it to be save. But imagine how much malware was if they didn't try to limit it. Your reason just doesn't make any sense.

 

[Wildkraut]

Bwahahah!
Lock down the Mac, disallow anybody to install anything.
The main Apps should fulfill the usage all Mac users.

 

[iBluetooth]

But the safety net isn’t 100% effective. It it fails to work 100% for macOS, what’s to say malware doesn’t make it onto iOS or iPadOS?

It doesn't have to be 100% as nothing human system is. But guess how much malware would be if they were not trying to limit it.

 

[julesme]

If I never again hear of Flash for the rest of my life, it will still be too soon.

 

[iamMacPerson]

Just confirmed that even Apple’s notarization process isn’t infallible. You should still use common sense and not install a package from an untrusted developer. Worked for the first 15 years of Mac OS X, don’t know why it’s changed now.

 

[CarlJ]

An actual real-life notary public doesn’t certify anything about the content of the document you’re signing, they only witness that it was actually you that signed it.

I expected that Apple’s notarization service was primarily designed to associate an app with a developer, and register the pairing with Apple, so that if the app subsequently starting doing something really unsavory in the real world, posing a threat to customers, it could be shut off by Apple.

 

[now i see it]

Proof that their notorization is worthless. But it sounds good on paper.

 

[69Mustang]

An actual real-life notary public doesn’t certify anything about the content of the document you’re signing, they only witness that it was actually you that signed it.

I expected that Apple’s notarization service was primarily designed to associate an app with a developer, and register the pairing with Apple, so that if the app subsequently starting doing something really unsavory in the real world, posing a threat to customers, it could be shut off by Apple.

What you're describing is a secondary function of Apple Notarization. It is primarily an automated malware scanner. https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution
Unfortunately, it seems the definitions of the malware scanner aren't exactly up to date.

 

[Konigi]

You had one job.

 

[happyprozak]

Just another reason why we should be allowed to install 3rd party apps on iOS with out the App Store. Just because Apple approves the app (I know it’s for macOS in this particular article) doesn’t mean it’s guaranteed to be safe.

That's very dubious logic. This would be like saying that we should remove traffic lights and speed limits on roads because accidents happen anyway.

While the goal of the MacOS and iOS app store may be to never allow malware, their failure to meet that goal does not invalidate the stores' purpose. The reduction and increased safety the stores provide are still imperative to the user experience.

If you could prove in an alternate situation where you have a set of average iOS users who download outside the app store and a set who only use the app store and both users became infected with similar malware at the same rate, then you would have an argument.

 

[jonblatho]

Just another reason why we should be allowed to install 3rd party apps on iOS with out the App Store. Just because Apple approves the app (I know it’s for macOS in this particular article) doesn’t mean it’s guaranteed to be safe.

You’ll get Disagree’d into oblivion for saying it, but you’re right. If an OS’s so-called security relies on human review of software binaries, rather than its source code, it’s not security at all.