Apple's automated notarization process mistakenly approved Mac malware
Security researchers have discovered that Apple's macOS app notarization process has mistakenly approved a piece of malware disguised as a Flash installer.
Apple requires Mac app developers — even those outside of the App Store — to submit apps for notarization, which checks them for security issues and malicious code. If they don't pass notarization, apps will be blocked by Gatekeeper.
On Friday, Dantini noticed that a Flash installer adware campaign actually featured malicious code that was notarized by Apple. The effect of that notarization is that the installer wouldn't be blocked by the built-in Gatekeeper security function. If a user clicked on it, the installer would simply run and deliver its payload on a system.
Wardle confirmed that the approved code contained within the malware has been used by the Shlayer adware, which has been said to be the top malicious threat to Mac users. Shlayer works by intercepting web traffic and replacing ads with its own, fraudulently making money for operators.
As he pointed out in his blog post, Wardle says that the approval is "a first." Apple, for its parts, has said that notarization isn't an app review. It's a much quicker and automated process that scans for malware or code-signing issues.
Basically, Apple's notarization process failed to detect the malicious code when it was submitted. In effect, the malware was approved to run on Mac devices — even those running beta versions of macOS Big Sur.
Apple revoked the malware's notarization after Wardle reached out. In a statement to TechCrunch, Apple applauded Wardle's effort.
"Malicious software constantly changes, and Apple's notarization system helps us keep malware off the Mac and allow us to respond quickly when it's discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe."
As Apple admits, malware constantly changes — so it's likely that bad actors will again submit malicious payloads to Apple's notarization process. Wardle said that at least some of those payloads may get notarized.