When might an Apple malware protection pose more user risk than none at all? When it certifies a trojan as safe even though it sticks out like a sore thumb and represents one of the biggest threats on the macOS platform.
The world received this object lesson over the weekend after Apple gave its imprimatur to the latest samples of “Shlayer,” the name given to a trojan that has been among the most—if not the most—prolific pieces of Mac malware for more than two years. The seal of approval came in the form of a notarization mechanism Apple introduced in macOS Mojave to, as Apple put it, “give users more confidence” that the app they install “has been checked by Apple for malicious components.”
With the roll out of macOS Catalina, notarization became a requirement for all apps. Unless installed using methods not mentioned by Apple (more about that later), an unnotarized app will generate the following notice that says it “can’t be opened because Apple cannot check it for malicious software.”
Classic Shlayer… with one big difference
On Friday, college student Peter H. Dantini found that homebrew[.]sh—a knockoff of the legitimate homebrew site brew.sh—was pushing a fake Adobe Flash update and warning users that their current version lacked the latest security updates.
It was a classic Shlayer campaign that was similar to hundreds or thousands of previous ones that also used fake Flash updates to infect users with adware except for one key difference: the trojan had been notarized by Apple. Patrick Wardle, who is a security researcher at the macOS and iOS enterprise management firm Jamf, said he believes this is the first malware to receive the notarization “stamp of approval.”
Wardle notified Apple on Friday of the erroneously notarized file, and the company quickly revoked the certification, a move that prevented the trojan from infecting up-to-date Macs. On Sunday, Wardle said, he found the site was serving new malicious payloads that were, once again, notarized by Apple.
“Unfortunately, a system that promises trust, yet fails to deliver, may ultimately put users at more risk,” Wardle wrote in a post. “How so? If Mac users buy into Apple’s claims, they are likely to fully trust any and all notarized software. This is extremely problematic as known malicious software (such as OSX.Shlayer) is already (trivially?) gaining such notarization!”
Antivirus provider Malwarebytes also weighed in, saying: “Unfortunately, it’s starting to look like notarization may be less security and more security theater.”
In defense of notarization
In a statement, Apple officials wrote: “Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allows us to respond quickly when it’s discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe.”
In Apple’s defense, the company has always been clear that the notarization is “an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly.” As such, Apple has never presented it as a comprehensive security check.
And even when notarization prevents an app from being installed normally, it’s not that hard to work around the mechanism. As shown in the screenshot below, courtesy of Malwarebytes, unnotarized versions of Shlayer have long presented marks with a custom background that instructed them to right-click on a disk image file, rather than double-click it as normal, and then select open.
With that the malware is installed.
Toothless… and a pain to use
At the same time, and as noted last year by Andrew Cunningham, now a freelance reviewer for Ars, notarization is a burden both for users and developers. Presumably Apple mandated it to augment previously introduced code-signing protections, which require developers to authenticate their apps with an Apple-issued cryptographic certificate. If the service made users safer, you might have a good case for saying that the inconvenience is worth it. It’s harder to make that argument if the new feature gives users a false sense of security.
Notarization looks especially toothless when it fails to detect this particular malware family. As Kaspersky Lab reported in January, Shlayer has been the top macOS threat for about two years and accounted for about 30 percent of all detections on the OS for 2019. Shlayer also goes well beyond the nuisance of adware. For instance, after using click-jacking techniques to trick users into installing a self-signed cryptographic certificate, the malware decrypts and reads all encrypted HTTPS traffic. It also harvests user IDs.
Apple’s goof is even harder to understand when it falls for files like those found on Friday and again on Sunday.
“It was a fake Flash player update… with the Adobe icon and all… that of course was not signed by Adobe,” Wardle told me in an online chat. “You’d have thought that’s a big red flag that Apple would straight up just block anyways like, umm, anything that masquerades as ‘Flash’ update …yah, no, don’t notarize that, as who cares what it does (i.e. what malware/adware it is), obv. it’s fake/malicious.”