When might an Apple malware protection pose more user risk than none at all? When it certifies a trojan as safe even though it sticks out like a sore thumb and represents one of the biggest threats on the macOS platform.
The world received this object lesson over the weekend after Apple gave its imprimatur to the latest samples of “Shlayer,” the name given to a trojan that has been among the most—if not the most—prolific pieces of Mac malware for more than two years. The seal of approval came in the form of a notarization mechanism Apple introduced in macOS Mojave to, as Apple put it, “give users more confidence” that the app they install “has been checked by Apple for malicious components.”
With the roll out of macOS Catalina, notarization became a requirement for all apps. Unless installed using methods not mentioned by Apple (more about that later), an unnotarized app will generate the following notice that says it “can’t be opened because Apple cannot check it for malicious software.”
Apple-approved malware has arrived, leading experts to wonder if more is on the way. In a blog post, Patrick Wardle, Principal Security Researcher at Jamf, said malicious adware accidentally. Malwarebytes says that there was a 400 percent increase in the overall prevalence of Mac threats in 2019, but part of that increase is attributable to an increase in the Malwarebytes for Mac user.
Classic Shlayer... with one big difference
On Friday, college student Peter H. Dantini found that homebrew[.]sh—a knockoff of the legitimate homebrew site brew.sh—was pushing a fake Adobe Flash update and warning users that their current version lacked the latest security updates.
It was a classic Shlayer campaign that was similar to hundreds or thousands of previous ones that also used fake Flash updates to infect users with adware except for one key difference: the trojan had been notarized by Apple. Patrick Wardle, who is a security researcher at the macOS and iOS enterprise management firm Jamf, said he believes this is the first malware to receive the notarization “stamp of approval.”
Wardle notified Apple on Friday of the erroneously notarized file, and the company quickly revoked the certification, a move that prevented the trojan from infecting up-to-date Macs. On Sunday, Wardle said, he found the site was serving new malicious payloads that were, once again, notarized by Apple.
“Unfortunately, a system that promises trust, yet fails to deliver, may ultimately put users at more risk,” Wardle wrote in a post. “How so? If Mac users buy into Apple’s claims, they are likely to fully trust any and all notarized software. This is extremely problematic as known malicious software (such as OSX.Shlayer) is already (trivially?) gaining such notarization!”
Antivirus provider Malwarebytes also weighed in, saying: “Unfortunately, it’s starting to look like notarization may be less security and more security theater.”
In defense of notarization
In a statement, Apple officials wrote: “Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allows us to respond quickly when it’s discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe.”
In Apple’s defense, the company has always been clear that the notarization is “an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly.” As such, Apple has never presented it as a comprehensive security check.
Another point in Apple's favor: at the time Dantini discovered the malware and reported it to Wardle, the sample had no detections on Virus Total, the Alphabet-owned malware scanning service that aggregates results from more than 60 AV providers. What's more, Google's Play store regularly admits malicious apps even though its bouncer service purportedly scans for nefarious activity.
And even when notarization prevents an app from being installed normally, it's not that hard to work around the mechanism. As shown in the screenshot below, courtesy of Malwarebytes, unnotarized versions of Shlayer have long presented marks with a custom background that instructed them to right-click on a disk image file, rather than double-click it as normal, and then select open.
With that the malware is installed.
Toothless... and a pain to use
At the same time, and as noted last year by Andrew Cunningham, now a freelance reviewer for Ars, notarization is a burden both for users and developers. Presumably Apple mandated it to augment previously introduced code-signing protections, which require developers to authenticate their apps with an Apple-issued cryptographic certificate. If the service made users safer, you might have a good case for saying that the inconvenience is worth it. It’s harder to make that argument if the new feature gives users a false sense of security.
Notarization looks especially toothless when it fails to detect this particular malware family. As Kaspersky Lab reported in January, Shlayer has been the top macOS threat for about two years and accounted for about 30 percent of all detections on the OS for 2019. Shlayer also goes well beyond the nuisance of adware. For instance, after using click-jacking techniques to trick users into installing a self-signed cryptographic certificate, the malware decrypts and reads all encrypted HTTPS traffic. It also harvests user IDs.
Apple’s goof is even harder to understand when it falls for files like those found on Friday and again on Sunday.
“It was a fake Flash player update... with the Adobe icon and all... that of course was not signed by Adobe,” Wardle told me in an online chat. “You'd have thought that's a big red flag that Apple would straight up just block anyways like, umm, anything that masquerades as ‘Flash' update ...yah, no, don't notarize that, as who cares what it does (i.e. what malware/adware it is), obv. it's fake/malicious.”
Updated to add sixth-to-last paragraph.
How much malware for Mac is there?
The amount of Mac-specific malware remains negligible compared to other platforms (namely Windows). However, Mac malware is steadily on the rise and it is not just about the numbers anymore. Today a well thought-out and targeted malware can cause damage on an unprotected Mac.
Does my Mac need an antivirus?
The truth is that no operating system is 100% secure. Even if it was, vulnerabilities in applications, such as Java/Java Virtual Machine, can be exploited by malware. A high-performing antivirus adds layers of security, decreasing the exposure to potential threats.
Malware Software Mac
Is macOS malware a recent development?
The first examples of macOS malware go back to 2004 with the detection of OSX/Opener (Renepo). OSX/Leap.A followed in 2006, along with other forms of threats developed against macOS.
Is my Mac vulnerable to Windows malware?
Windows malware does not pose any danger to your Mac, even though a Mac can act as a carrier. This means that you can unwittingly pass along infected files from your Mac to other devices.
Malware For Mac Pro
Does malware pose a threat for macOS?
In recent years, ESET Malware Research Lab has detected and identified over ten new malware families specifically targeting the macOS platform. For instance Flashback trojan that has infected hundreds of thousands of Mac machines.
Mac Malware on the rise
The history of Mac malware began in 2004 with Opener (Renepo), a shell script featuring both backdoor and spyware functionality. During the following years others arrived including the first true macOS worm called Leap and the first scareware, MacSweep.
2011 brought the Flashback Trojan, which formed the largest Mac botnet to date. The attackers used social engineering to entice users to download and install a fake Adobe Flash Player update.
In early 2016 researchers spotted KeRanger, the first ransomware targeting Mac users, which encrypted precious personal and work files with unbreakable cryptographic algorithms.
Download ESET Cyber Security Pro
Mac Malware Removal
Malware For Mac Reviews
Effective all-in-one internet security for your Mac, including personal firewall and parental control.
Malware Mac For Free
FREE 30-day trial