[ad_1]
The creators of adware Shlayer have found a way for Apple to certify its malicious payload, allowing you to bypass the antimalware checks performed by macOS before installing any software.
What is Apple notarization?
Apple uses a number of technologies to prevent malware from being offered for download in the App Store and from running on devices developed by Apple:
- App review: Applications are reviewed by Apple before being published on the App Store and must meet specific guidelines to be accepted.
- Code signing: Developers sign their applications with a developer certificate issued by Apple to assure users that it comes from a known source and that the application has not been modified since it was last signed. MacOS Gatekeeper checks the developer’s certificate and checks the list of known malware when the application is first opened, and blocks the application from running if it is known malware or does not recognize the developer (certificate)
- Notarization: An automated verification that scans software for malicious content and looks for code signing problems. If the package passes the verification, you receive a ticket that proves that the notarization was successful, and the ticket “tells” the Gatekeeper that Apple certified the software, that is, that it is indeed safe to run.
Apple’s notarization is a relatively new security mechanism that, in theory, should detect malicious software and prevent it from being installed on a macOS system. But it turns out it’s not infallible.
Notarized macOS malware
The first known instance of notarized macOS malware was discovered last week by a college student who noticed that people who want to download Homebrew (downloadable from brew.sh) and make the mistake of entering the wrong URL (homebrew.sh) receive a warning that their Adobe Flash Player is out of date and offers an update for download.
Security researcher Patrick Wardle analyzed the served package and confirmed that it is, in fact, not an update, but rather a notarized version of the macOS Shlayer adware, which Gatekeeper does not detect as malicious.
This particular variant of this common adware would be detected by various third-party antivirus applications, but there are still many macOS users who do not run one because they believe that Macs cannot contract malware.
How is this possible?
“We’re still not exactly sure what the Shlayer folks did to certify their malware, but increasingly, it seems they did nothing at all,” said Apple security expert Thomas Reed, who compared the notary code and that of an older Shlayer sample (not notarized) and minor changes detected.
“It is quite possible that something in this code, somewhere, was modified to break whatever detection Apple might have had for this adware. Without knowing how (yes?) Apple was detecting the oldest sample, it would be quite difficult to identify if changes were made to the notarized sample that would break that detection, ”he noted.
“This leaves us with two different possibilities, neither of which is particularly attractive. Apple was able to detect Shlayer as part of the notarization process, but breaking that detection was trivial, or Apple had nothing in the notarization process to detect Shlayer, which has been around for a couple of years at this point. “
Wardle notified Apple about the notarized Shlayer adware on August 28 and they revoked the notarization certificates used immediately. However, two days later, the adware distribution campaign was still going strong: it was serving another Shlayer sample that had been notarized with another Apple developer ID.
“The ability of attackers to agilely continue their attack (with other notarized payloads) is noteworthy. Clearly, in the never-ending game of cat and mouse between the attackers and Apple, the attackers are currently winning (still), ”Wardle commented.
Reed noted that notarizing malicious software is just one of the ways adware distributors are trying to bypass macOS and users’ defenses.
“We’re seeing quite a few cases where malware authors have stopped signing their software and instead shipped it with instructions to the user on how to run it,” he explained.
“The malware comes in a disk image file (.dmg) with a custom background. That background image shows instructions for opening the software, which is not signed or notarized. “
