[ad_1]
One of the key components of Apple’s product security strategy is the requirement that developers sign their apps and submit them to Apple for approval and code scanning before they are allowed to appear in iOS app stores. or macOS. The idea is to prevent people from mistakenly installing malicious or unreliable apps, but sometimes things still slip away, and recently an app containing notorious malware hit the macOS store and was notarized by Apple.
The malware, known as OSX Shlayer, was transported as a payload as part of an adware campaign that ran on a site posing as the project page of an open source project called Homebrew. Visitors to the fake site were sent through a series of redirects and were eventually shown a pop-up window saying that their version of Flash was out of date and that they needed to download the new version to continue. It’s an old tactic used by malicious site operators and exploit kits to trick people into installing malware, and it has been effective for many years. And this is one of the attack vectors that Apple’s application notarization system is designed to cut through by preventing unsigned and un-notarized applications from being installed.
But in this case, the application that is downloaded is certified by Apple, which means that the victim’s machines will trust it and allow it to run. A fake site visitor Peter dantini, noticed what was going on and sent the details to Patrick Wardle, a prolific Apple security researcher and principal security researcher at Jamf, who investigated to see what was happening with the downloaded app. Wardle discovered that the adware downloads and installs four separate packages, comprising the Shlayer malware that targets Macs. Shlayer has been around for a while and is known to masquerade as Adobe Flash Player updates. It is mainly used to show unwanted ads to victims, but it can also steal information.
“As far as I know, this comes first: malicious code that gets Apple’s notarized ‘seal of approval,” Wardle said in his analysis of the incident.
“In Apple’s own words, notarization was supposed to ‘give users more confidence in [software] … Has been checked by Apple for malicious components. ‘Unfortunately, a system that promises trust, but doesn’t deliver, can ultimately put users at greater risk. How is that? If Mac users buy Apple’s claims, they are likely to fully trust any notarized software. This is extremely problematic, as known malicious software (like OSX.Shlayer) is already (trivially?) Getting such certification.
Wardle reported the issue to Apple on August 28, and the company revoked the code signing certificate for the developer. However, on the same day, the developer used a new certificate to sign new payloads.
“Both the old and ‘new’ payloads appear to be almost identical and contain OSX.Shlayer bundled with the Bundlore adware. However, the ability of attackers to agilely continue their attack (with other notarized payloads) is remarkable, ”Wardle said.
[ad_2]
