Apple's Notarization Process Repeatedly Approved Malware for Mac

by

Apple mistakenly approved and notarized a common kind of malware for macOS on at least two occasions, reports TechCrunch.

bigSur

Apple requires developers to submit their apps for security checks to run on macOS in a process called "notarization." Notarization was required from the launch of macOS Catalina. If software has not been notarized, it will be blocked by default in macOS.

Peter Dantini and security researcher Patrick Wardle at Objective-See report that they have found the first malware for Mac that has been successfully notarized by Apple, even for the latest beta version of macOS Big Sur. The notarized malware was disguised as an Adobe Flash installer, which is an oft-used technique to convince unknowing users to install a trojan.

It contained "Shlayer" malware, which is said to be the "most common threat" to Macs in 2019. Shlayer is a kind of adware that intercepts encrypted web traffic, even from securely-encrypted HTTPS-enabled websites, and replaces it with its own ads to raise fraudulent ad revenue.

The researchers believe that Apple cannot have detected the malicious code when it was submitted for approval. The discovery is particularly surprising, given that the malware and its vehicle are extremely common. Upon notification from the researchers, Apple revoked the notarization.

"Malicious software constantly changes, and Apple's notarization system helps us keep malware off the Mac and allow us to respond quickly when it's discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe," an Apple spokesperson told TechCrunch.

In spite of Apple's statement, the researchers reported that the bad actors were able to get yet another malware trojan notarized soon after. The second notarized payloads were still approved by Apple as of yesterday.

Earlier this month, a new kind of Mac malware was discovered that infects via Xcode and supposedly can infiltrate the Mac App Store, undetected by Apple.

Tag: Malware
Related Forum: macOS Big Sur

Popular Stories

iPhone 17 Plus Feature

iPhone 17 'Slim': Everything We Know So Far

Friday July 5, 2024 5:13 am PDT by
In 2025, Apple is expected to discontinue the iPhone "Plus" device in its iPhone 17 lineup to make way for an iPhone "Slim" – although it may not actually be called this when it debuts in the fall of next year. Even though the iPhone 16 series launch is still over two months away, when you consider that we learned about larger displays on the iPhone 16 Pro models way back in May 2023, rumors...
Read Full Article165 comments
HomePod G4 Feature

Leak Confirms Apple's Work On 'Home Accessory'

Thursday July 4, 2024 9:15 am PDT by
Code discovered on Apple's backend by MacRumors confirms Apple is indeed working on a long-rumored home accessory in addition to the HomePod and Apple TV. The code references a device with the identifier "HomeAccessory17,1," which is a new identifier category. The name is similar to the HomePod's "AudioAccessory" identifier. Interestingly, the 17,1 in the identifier name suggests that...
Read Full Article216 comments
iPhone 16 Camera Lozenge 2

Apple Leak Confirms Four iPhone 16 Models With Same A18 Chip

Tuesday July 2, 2024 9:48 am PDT by
Code discovered in Apple's backend by Nicolás Alvarez and shared with MacRumors confirms Apple's plans to release four iPhone 16 models this year, and it indicates that the devices will all have the same A-series chip. There are mentions of new model numbers that are not associated with existing iPhones, and that have the numbering scheme Apple uses for its flagship devices. The code...
Read Full Article145 comments
Netflix Smaller 2

Netflix Starts Booting Subscribers Off Cheapest Basic Ads-Free Plan

Wednesday July 3, 2024 5:25 am PDT by
Netflix is proceeding with its plan to discontinue its cheapest ad-free subscription tier, starting with the UK and Canada, with more countries inevitably to follow. The streaming giant has reportedly begun notifying users via on-screen messages about the last day they can access the service unless they upgrade. One Reddit user shared a notification they had received from the Netflix app,...
Read Full Article214 comments
m3 macbook pro blue

Amazon and Best Buy Take Up to $500 Off on Latest MacBook Pro Models

Wednesday July 3, 2024 7:14 am PDT by
Amazon and Best Buy have introduced record discounts on the latest 14-inch and 16-inch MacBook Pro models today, taking up to $500 off of standard prices. Note: MacRumors is an affiliate partner with Amazon and Best Buy. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. Starting with the 14-inch models, the discounts begin with...
Read Full Article38 comments

Top Rated Comments

larrylaffer Avatar
larrylaffer
50 months ago
Apple's gatekeeping here must be truly awful. These people disguised their software as coming from one of the world's biggest software vendors, and it still made it through?
Score: 17 Votes (Like | Disagree)
julesme Avatar
julesme
50 months ago
If I never again hear of Flash for the rest of my life, it will still be too soon.
Score: 12 Votes (Like | Disagree)
Ritsuka Avatar
Ritsuka
50 months ago

Just another reason why we should be allowed to install 3rd party apps on iOS with out the App Store. Just because Apple approves the app (I know it’s for macOS in this particular article) doesn’t mean it’s guaranteed to be safe.
This is a totally different case. "Notarization" is just Apple running an automated malware scan on the apps, it's not a manual review by an actual person.
Score: 11 Votes (Like | Disagree)
CarlJ Avatar
CarlJ
50 months ago
An actual real-life notary public doesn’t certify anything about the content of the document you’re signing, they only witness that it was actually you that signed it.

I expected that Apple’s notarization service was primarily designed to associate an app with a developer, and register the pairing with Apple, so that if the app subsequently starting doing something really unsavory in the real world, posing a threat to customers, it could be shut off by Apple.
Score: 10 Votes (Like | Disagree)
cmaier Avatar
cmaier
50 months ago

Proof that their notorization is worthless. But it sounds good on paper.
No it's not. Notarization is not malware detection. It ensures that the binary actually came from who it claims to have come from. That's it. Just like a notary public proves that a document was signed by the person who claims to have signed it, and doesn't prove that the contents of the document are true.

This is a weird news article.
Score: 8 Votes (Like | Disagree)
BigMcGuire Avatar
BigMcGuire
50 months ago
Patrick Wardle at Objective-See ('https://objective-see.com/blog/blog_0x4E.html') --- This guy is doing a lot of great work. I run several of his apps. Very cool!
Score: 6 Votes (Like | Disagree)
Read All Comments