MacOS is considered more secure than Microsoft̵
The adware campaign uses notarized malware, which means it was scanned and “approved” by Apple and will run on Catalina and Big Sur, security researcher Patrick Wardle has found out. “As far as I know, this is the first time hackers have been able to abuse Apple’s new notarization,” Wardle told me.
Adware on macOS can be dangerous
Adware may not sound as scary as other malicious software – on the surface, it simply delivers unwanted ads to victims – but it can still be quite dangerous. As Wardle pointed out in his blog, security researcher Thomas Reed in a recent post revealed how adware and PUPs can actually be far more invasive and dangerous on Macs than “real” malware.
“They can capture and decrypt all network traffic, create hidden users with static passwords, make insecure changes to system settings, and generally dig deep into the system, making it incredibly challenging to eradicate completely.”
Apple’s notarization explained
So what is this notarization process that Apple designed to stop malicious software such as adware from reaching macOS users, and what’s wrong with that?
Apple introduced notarization requirements in macOS 10.15 (Catalina), and required developers to submit their applications to Apple before distributing them to macOS users. This ensures that Apple can inspect and approve all software before it can run on new versions of macOS.
“If software is not notarized, it will be blocked by macOS, without the ability to run it via the alert message,” Wardle explains, adding: “With the goal of stimulating the influx of malware targeting macOS, notarization seemed like a promising idea. Unfortunately, not all promises are kept. ”
Wardle cites the example of Homebrew, hosted by brew.sh. On August 28, Twitter user Peter Dantini noticed that the website homebrew.sh (not to be confused with the legitimate Homebrew website brew.sh), hosted an active adware campaign.
If a user inadvertently visited homebrew.sh, an update for “Adobe Flash Player” would be aggressively recommended after various redirects.
These types of campaigns usually use non-notarized code, so get stopped in their tracks. However, the campaign from homebrew.sh took advantage of the payloads of adware that were fully notarized, Wardle said.
This means that the malicious payloads were delivered to Apple before distribution: Apple was scanned and apparently did not detect any evil, it inadvertently at a celebration. In addition, these malicious payloads are allowed to run – even on macOS Big Sur.
The notarized payloads appear to be OSX.Shlayer malicious software, Wardle discovered. OSX.Shlayer may be the most common malware that infects macOS systems, says Kaspersky – and the ultimate goal of OSX.Shlayer is to download and install macOS adware continuously.
In addition to this, OSX.Shlayer is smart, and has rapidly evolved and found ways to bypass macOS security mechanisms. “As such, it’s not so surprising that this insidious malware has continued to evolve into trivial side-step Apple’s best efforts,” admits Wardle.
With this in mind, he warns users against trusting all notarized Apple software. “If Mac users buy into Apple’s claims, they’ll probably fully trust all notarized software. This is extremely problematic as known malware (such as OSX.Shlayer) already gets such a notarization. ”
Wardle reported its findings to Apple, which quickly revoked the certificates and revoked their notarization status, so that malicious payloads will no longer run on macOS. However, Wardle says: “The fact that known malware was initially notarized raises many questions.”
However, Wardle says that the campaign is already underway again – on August 30, the adware campaign was still live and served new payloads. “Unfortunately, these new payloads are (still) notarized, which means that even on the Big Sur, they will (still) be allowed to drive.”
I have asked Apple for a comment on this story and will update the article when the company responds.
Your best defense is yourself
Sean Wright, Immersive Labs’ application security manager, tells SME that he “has never been a firm believer” in Apple’s approach to researching apps. “While I can see where they’re coming from, the sheer volume and complexity means they’ll hardly do a thorough job of researching all the apps, and it’s not surprising to see many slip through.”
Wright says notarization is “better than nothing,” but it is not adequate security. “Criminals are getting smarter when it comes to avoiding detection, making it harder to detect malicious software, especially when they only use tools to do so.”
Cybercriminals will continue to develop their methods, and it is important that vendors such as Apple remain vigilant. But it is also true to say that you are your own best defense. Always check what you are downloading, make sure you trust it, and try to install only the apps you need.