Posted September 9, 2020
Security researchers have discovered a variant of Shlayer malware – an extremely common macOS threat – that appears to have bypassed Apple̵
In this short article we will tell you what you need to know about the problem and how you can be safe.
How apps are checked (in theory)
Ever since macOS Catalina, all third-party apps must be controlled by Apple through a process called App Notarization. Apps are checked for code signing issues and analyzed for indications of malicious components. The process is fully automated, and most developers report that apps that have been successfully submitted to Apple’s notarization service are usually approved in minutes.
Before an app can run on your system, Gatekeeper will check that it has been properly notarized. If it’s not licensed, the app will be blocked on your system: It will simply not run, and you will receive a notification that the app cannot be checked for malicious content and that you should contact the developer.
App notation is in principle a good idea: It adds a security layer to third-party apps, and gives users some security that what they are going to run on their system is what the developer intended, and has been checked. for dangerous code from Apple.
At least that’s how it’s supposed to work …
What happened in August
Late last month, a college student named Peter Dantini accidentally navigated to a malicious Web site with a URL similar to the one he was trying to visit. Dantini was soon on the receiving end of a classic Mac damage distribution vector: the fake Adobe Flash Player update. He immediately realized that something was wrong, and downloaded the “update” to inspect it further.
That’s when he noticed that macOS was not trying to block the app from running on his Mac, indicating that it had somehow circumvented the notarization requirement. The eagle-eyed student forwarded the discovery to veteran malware researcher Patrick Wardle, who was able to perform a more detailed analysis.
What Wardle found was shocking to say the least: the fake website distributed versions of Shlayer malware that were completely notarized by Apple! In other words, malware had been sent to Apple’s App Notarization process, but the automated service failed to detect the malicious components it contained. It was released worldwide with Apple’s approval stamp – and thus with the ability to run on newer versions of macOS.
When Apple was informed of the problem, the company immediately sent the developer certificates that had been used to sign the malicious code prior to notarization, thus streamlining malicious software. But as Wardle noted in the recipe, it seems new versions of malicious software (perhaps signed with other developer certificates) were already distributed on the infringing site, and that these were also fully notarized by Apple.
What it means and how you can be safe
There’s clearly an issue with App Notarization, and it’s a safe bet that Apple’s security team works overtime to find out what it is (and what to do with it).
First the good news: App Notarization is still effective in stopping the villains who do not even bother to try to play the process, and who instead try to trick users into performing complex solutions to make unnoticed apps work.
But unfortunately, the incident questions whether notarized apps can be considered completely safe, since at the moment no one is sure how this malicious software initially managed to do it through the review process.
Until we know more, all users should take the following precautions:
Never try to run apps that are not approved, even if the “developers” send you detailed instructions on how to do so. This is an increasingly common tactic used by bad actors to circumvent the App Notarization requirement and get users to infect their own computers.
Check and double-check the source of an app before attempting to download it. Only download apps from the developer’s official website (currently avoid app distribution platforms or third-party download sites).
Look for clear signs of malicious download pages: If you are redirected from the URL you tried to visit to a strange website with pop-ups or an unrelated URL, close your browser and check the original URL again to make sure you have the right one.
Be vigilant when clicking on links that come in via email, messenger or SMS. This is one of the most common ways people are redirected to malicious download sites. If you are not sure how to detect fake links and phishy emails, you can take this short quiz as a refresher.
Use a reputable malware detection and removal tool on your Mac. A good security app can scan your system for malicious programs and can help you remove them if you have been infected.