Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple's automated notarization process mistakenly approved Mac malware

Apple mistakenly approves Mac malware in notarization.

Last updated

Security researchers have discovered that Apple's macOS app notarization process has mistakenly approved a piece of malware disguised as a Flash installer.

Apple requires Mac app developers — even those outside of the App Store — to submit apps for notarization, which checks them for security issues and malicious code. If they don't pass notarization, apps will be blocked by Gatekeeper.

But macOS security researcher Patrick Wardle and Twitter user Peter Dantini have found that at least one piece of malicious code appears to slipped through Apple's safeguards.

On Friday, Dantini noticed that a Flash installer adware campaign actually featured malicious code that was notarized by Apple. The effect of that notarization is that the installer wouldn't be blocked by the built-in Gatekeeper security function. If a user clicked on it, the installer would simply run and deliver its payload on a system.

Wardle confirmed that the approved code contained within the malware has been used by the Shlayer adware, which has been said to be the top malicious threat to Mac users. Shlayer works by intercepting web traffic and replacing ads with its own, fraudulently making money for operators.

As he pointed out in his blog post, Wardle says that the approval is "a first." Apple, for its parts, has said that notarization isn't an app review. It's a much quicker and automated process that scans for malware or code-signing issues.

Basically, Apple's notarization process failed to detect the malicious code when it was submitted. In effect, the malware was approved to run on Mac devices — even those running beta versions of macOS Big Sur.

Apple revoked the malware's notarization after Wardle reached out. In a statement to TechCrunch, Apple applauded Wardle's effort.

"Malicious software constantly changes, and Apple's notarization system helps us keep malware off the Mac and allow us to respond quickly when it's discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe."

As Apple admits, malware constantly changes — so it's likely that bad actors will again submit malicious payloads to Apple's notarization process. Wardle said that at least some of those payloads may get notarized.



18 Comments

cpsro 3239 comments · 14 Years

IMO it's a bit much to write "our users" [emphasis added]. Like we're cattle (or chattel?).

killroy 286 comments · 17 Years

Why would anyone install Flash?

Believe it or not some web sites still use flash.

Fatman 513 comments · 8 Years

I will share this code with Apple for their automated approval logic, at no charge !

if code contains ‘flash’ or appname = ‘flash updater’ then do not approve

Beats 3073 comments · 4 Years

This is gonna be a media field day while everyone ignores the barrage of Windows/Android malware running wild.

Still, wondering why the "no viruses" Mac has been having so many security holes lately.