Apple's Notarization Process Repeatedly Approved Malware for Mac

by

Apple mistakenly approved and notarized a common kind of malware for macOS on at least two occasions, reports TechCrunch.

bigSur

Apple requires developers to submit their apps for security checks to run on macOS in a process called "notarization." Notarization was required from the launch of macOS Catalina. If software has not been notarized, it will be blocked by default in macOS.

Peter Dantini and security researcher Patrick Wardle at Objective-See report that they have found the first malware for Mac that has been successfully notarized by Apple, even for the latest beta version of macOS Big Sur. The notarized malware was disguised as an Adobe Flash installer, which is an oft-used technique to convince unknowing users to install a trojan.

It contained "Shlayer" malware, which is said to be the "most common threat" to Macs in 2019. Shlayer is a kind of adware that intercepts encrypted web traffic, even from securely-encrypted HTTPS-enabled websites, and replaces it with its own ads to raise fraudulent ad revenue.

The researchers believe that Apple cannot have detected the malicious code when it was submitted for approval. The discovery is particularly surprising, given that the malware and its vehicle are extremely common. Upon notification from the researchers, Apple revoked the notarization.

"Malicious software constantly changes, and Apple's notarization system helps us keep malware off the Mac and allow us to respond quickly when it's discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe," an Apple spokesperson told TechCrunch.

In spite of Apple's statement, the researchers reported that the bad actors were able to get yet another malware trojan notarized soon after. The second notarized payloads were still approved by Apple as of yesterday.

Earlier this month, a new kind of Mac malware was discovered that infects via Xcode and supposedly can infiltrate the Mac App Store, undetected by Apple.

Tag: Malware
Related Forum: macOS Big Sur

Popular Stories

iOS 19 Mock WWDC25 Feature

iOS 19 Expected to Run on These iPhones

Monday March 31, 2025 5:28 pm PDT by
iOS 19 will not be available on the iPhone XR, iPhone XS, or the iPhone XS Max, according a private account on social media site X that has accurately provided information on device compatibility in the past. The iPhone XR, iPhone XS, and iPhone XS Max all have an A12 Bionic chip, so it looks like iOS 19 will discontinue support for that chip. All other iPhones that run iOS 18 are expected...
Read Full Article135 comments
maxresdefault

Apple Releases iOS 18.4 With Priority Notifications, Ambient Music, New Emoji and More

Monday March 31, 2025 10:03 am PDT by
Apple today released iOS 18.4 and iPadOS 18.4, the fourth major updates to the iOS 18 and iPadOS 18 operating system updates that came out last year. iOS 18.4 and iPadOS 18.4 come two months after Apple released iOS 18.3 and iPadOS 18.3. Subscribe to the MacRumors YouTube channel for more videos. The new software can be downloaded on eligible iPhones and iPads over-the-air by going to...
Read Full Article88 comments
watchOS 11 Thumb 2 1

Apple Releases watchOS 11.4 With Sleep Alarm Update

Tuesday April 1, 2025 10:34 am PDT by
Apple today released watchOS 11.4, the fourth major update to the operating system that runs on the Apple Watch. watchOS 11.4 is compatible with the Apple Watch Series 6 and later, all Apple Watch Ultra models, and the Apple Watch SE 2. watchOS 11.4 can be downloaded on a connected iPhone by opening up the Apple Watch app and going to General > Software Update. To install the new software,...
Read Full Article69 comments
AirPods Pro Firmware Feature

Apple Releases New Firmware for AirPods Pro 2 and AirPods 4

Monday March 31, 2025 11:27 am PDT by
Apple today released new firmware updates for all AirPods 4 and AirPods Pro 2 models. The new firmware is version 7E93, up from the 7B21 firmware that was installed on the AirPods Pro 2 and the 7B20 firmware available on the AirPods 4 and AirPods 4 with ANC. It is not immediately clear what new features or changes are included in the new firmware, but we'll update this article should we find ...
Read Full Article30 comments
iPhone 17 Pro 34ths Perspective

iPhone 17 Pro Launching Later This Year With These 10 New Features

Sunday March 23, 2025 10:00 am PDT by
While the iPhone 17 Pro and iPhone 17 Pro Max are not expected to launch until September, there are already plenty of rumors about the devices. Below, we recap key changes rumored for the iPhone 17 Pro models as of March 2025: Aluminum frame: iPhone 17 Pro models are rumored to have an aluminum frame, whereas the iPhone 15 Pro and iPhone 16 Pro models have a titanium frame, and the iPhone ...
Read Full Article247 comments
macOS Sequoia Feature

Apple Releases macOS Sequoia 15.4 With Mail Categorization and More

Monday March 31, 2025 10:04 am PDT by
Apple today released macOS Sequoia 15.4, the fourth major update to the macOS Sequoia operating system that launched in September. macOS Sequoia 15.4 comes two months after the launch of macOS Sequoia 15.3. Mac users can download the ‌‌macOS Sequoia‌‌ update through the Software Update section of System Settings. It is available for free on all Macs able to run macOS 15. With...
Read Full Article191 comments

Top Rated Comments

larrylaffer Avatar
larrylaffer
60 months ago
Apple's gatekeeping here must be truly awful. These people disguised their software as coming from one of the world's biggest software vendors, and it still made it through?
Score: 17 Votes (Like | Disagree)
julesme Avatar
julesme
60 months ago
If I never again hear of Flash for the rest of my life, it will still be too soon.
Score: 12 Votes (Like | Disagree)
Ritsuka Avatar
Ritsuka
60 months ago

Just another reason why we should be allowed to install 3rd party apps on iOS with out the App Store. Just because Apple approves the app (I know it’s for macOS in this particular article) doesn’t mean it’s guaranteed to be safe.
This is a totally different case. "Notarization" is just Apple running an automated malware scan on the apps, it's not a manual review by an actual person.
Score: 11 Votes (Like | Disagree)
CarlJ Avatar
CarlJ
60 months ago
An actual real-life notary public doesn’t certify anything about the content of the document you’re signing, they only witness that it was actually you that signed it.

I expected that Apple’s notarization service was primarily designed to associate an app with a developer, and register the pairing with Apple, so that if the app subsequently starting doing something really unsavory in the real world, posing a threat to customers, it could be shut off by Apple.
Score: 10 Votes (Like | Disagree)
cmaier Avatar
cmaier
60 months ago

Proof that their notorization is worthless. But it sounds good on paper.
No it's not. Notarization is not malware detection. It ensures that the binary actually came from who it claims to have come from. That's it. Just like a notary public proves that a document was signed by the person who claims to have signed it, and doesn't prove that the contents of the document are true.

This is a weird news article.
Score: 8 Votes (Like | Disagree)
BigMcGuire Avatar
BigMcGuire
60 months ago
Patrick Wardle at Objective-See ('https://objective-see.com/blog/blog_0x4E.html') --- This guy is doing a lot of great work. I run several of his apps. Very cool!
Score: 6 Votes (Like | Disagree)
Read All Comments