Apple Notarized Malware by Mistake, Hackers Ran it Through Third-Party Website

  • Notarized apps should be safe on macOS
  • Threat actors try to deploy “approved” malware through website
  • Apple revoked certificates, but malware is still up

Apple’s notarization system let a piece of malware into the macOS ecosystem, allowing attackers to load aggressive adware onto devices of people who were visiting a website.

DevOps Connect:DevSecOps @ RSAC 2022

macOS users believe Apple shelters them from malware. The company often said that it has the most secure OS, which is true to some degree. Moreover, the company has a notarization system for all new applications. Without going through this system, in which Apple checks the software before allowing it to run on the platform, the software can’t even run.

Twitter user Peter Dantini saw that the website (close in name with the official was running a very aggressive adware campaign. Users will recognize these attempts when a website tries to persuade users to get the latest Flash Player (actually a malware in disguise), a piece of software that’s already phased out. If the user agrees to install the software, macOS will not allow it to run because it’s not notarized.

Dantini informed security researcher Patrick Wardle about the campaign and noticed that the software trying to run was notarized. This means that it passed through Apple’s hands, making this the first (known) example of notarized malware.

The software installs one of the most common malware on macOS, named Shlayer, which deploys various aggressive adware. It’s not as damaging as it could be, but the fact that Apple approved it raises serious questions.

“As noted, Apple (quickly-ish) revoked the Developer code-signing certificate(s) that were used to sign the malicious payloads,” said Wardle. “This occurred on Friday, Aug. 28th. Interestingly, as of Sunday (Aug 30th) the adware campaign was still live and serving up new payloads. Unfortunately these new payloads are (still) notarized.”

Uses should be wary of websites wanting to install any software locally, no matter the platform. Also, having a security solution installed on the device is always helpful.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Silviu STAHIE. Read the original post at: