When can malicious Apple protection pose more user risk than none at all? When it certifies a trojan as safe even though it sticks out like a sore thumb and represents one of the biggest threats on the macOS platform.
The world got this object lesson over the weekend after Apple gave imprimatur to the latest examples of “Shlayer”, the name given to a trojan that has been among most – if not the most – productive pieces of Mac malware for more than two years. The approval stamp came in the form of a notarization mechanism that Apple introduced in macOS Mojave for, as Apple put it, “give users more confidence” that the app they are installing “has been checked by Apple for malicious components.”
With the rollout of macOS Catalina, notarization became a requirement for all apps. Unless installed using methods not mentioned by Apple (more on that later), an unobtrusive app will generate the following alert stating that it “cannot be opened because Apple cannot check it for malicious software.”
Classic Shlayer … with a big difference
On Friday, college student Peter H. Dantini found the home brew[.]sh – a rejection of the legitimate home brew site brew.sh – pushed a fake Adobe Flash update and warned users that their current version was missing the latest security updates.
It was a classic Shlayer campaign similar to hundreds or thousands of earlier ones that also used fake Flash updates to infect users with adware. except for a key difference: the trojan was notarized by Apple. Patrick Wardle, a security researcher at macOS and iOS company Jamf, said he believes this is the first malicious software to receive an “approval stamp”.
Wardle notified Apple on Friday of the inaccurate notarized file, and the company quickly revoked the certification, a move that prevented the Trojan from infecting updated Macs. On Sunday, Wardle said he found out that the site served new malicious payloads that were once again notarized by Apple.
“Unfortunately, a system that promises trust but does not deliver can ultimately put users at greater risk,” Wardle wrote in a post. “How about it? If Mac users buy into Apple’s claims, they’ll probably fully trust all notarized software. This is extremely problematic, as known malware (such as OSX.Shlayer) already (trivially?) Gets one. notarization! “
Antivirus vendor Malwarebytes also weighed in, saying, “Unfortunately, it’s starting to look like notarization may be less security and more security theater.”
In defense of notarization
In a statement, Apple officials wrote: “Malware is constantly changing, and Apple’s notarization system helps us keep malware out of the Mac and allows us to respond quickly when it is detected. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their help in keeping users safe. ”
Apple’s defense, the company has always been clear that notarization is “an automated system that scans your software for malicious content, looks for code signing issues, and returns the results to you quickly.” As such, Apple has never presented it as a comprehensive security check.
And even when notarization prevents an app from being installed normally, it is not that difficult to bypass the mechanism. As shown in the screenshot below, with permission from Malwarebytes, unnoticed versions of Shlayer have long featured tags with a custom background that prompted them to right-click on a disk image file, instead of double-clicking it as normal, and then selecting open.
With it, malicious software is installed.
Toothless … and a pain to use
At the same time, and as mentioned last year by Andrew Cunningham, now a freelance reviewer for Ars, notarization is a burden for both users and developers. Presumably, Apple gave a mandate to extend previously introduced code signing protection, which requires developers to authenticate their apps with an Apple-issued cryptographic certificate. If the service made users more secure, you may have a good reason to say that the disadvantage is worth it. It’s harder to make that argument if the new feature gives users a false sense of security.
Notarization looks especially toothless when it does not discover this particular harmful family. As Kaspersky Lab reported in January, Shlayer has been the best macOS threat for about two years and accounted for about 30 percent of all discoveries on the operating system for 2019. Shlayer also goes far beyond the hassle of adware. For example, after using click-jacking techniques to trick users into installing a self-signed cryptographic certificate, malware decrypts and reads all encrypted HTTPS traffic. It also retrieves user IDs.
Apple’s goof is even harder to understand when it comes to files like the ones found on Friday and again on Sunday.
“It was a fake Flash player update … with the Adobe icon and everything … which of course was not signed by Adobe,” Wardle told me in a chat. “You would have thought it’s a big red flag that Apple’s straight up, just blocking, anyway, umm, anything that pretends to be a ‘Flash’ update … yah, no, do not notice it, like who cares what it does (ie what malware / adware it is), whether it is fake / malicious. ”