BOOK THIS SPACE FOR AD
ARTICLE ADJohn Leyden 01 September 2020 at 14:00 UTC
Questions raised about Apple’s screening process
Shortcomings in Apple’s newly introduced screening protocols have allowed “notarized” malware to slip past the tech giant’s approval process.
Apple mistakenly approved a strain of adware, an error which came to light after the malicious code appeared on the website Homebrew.sh, a counterfeit copy of the legitimate Homebrew package manager website (homw.sh).
The adware, which posed as an update for “Adobe Flash Player”, was only notable because it relied on malicious payloads that were fully notarized by Apple.
This trick was used in a campaign to distribute Shlayer, a well-known strain of macOS malware often associated with bombarding users of infected machines with unwanted ads.
The campaign was spotted by Twitter user Peter Dantini, who passed on his findings to Mac security expert Patrick Wardle.
The attack represents what’s thought to be the first time that malicious code has gained Apple’s notarization “stamp of approval”.
Read more of the latest Apple security news
Some user interaction is still required to infect a device but the attack is nonetheless worrying since “due to their notarization status, users will (quite likely), fully trust these malicious samples”, Wardle warns in a blog post.
Apple responded promptly to reports of malfeasance by revoking the developer code-signing certificate abused in the Shlayer-slinging campaign.
Despite this, some signed (notarized) payloads containing OSX.Shlayer packaged with the Bundlore adware continued to circulate over the weekend.
The incident raises a number of uncomfortable questions.
According to Apple, notarization ought to “give users more confidence that [software] …has been checked by Apple for malicious components”.
Wardle warns: “Unfortunately a system that promises trust, yet fails to deliver, may ultimately put users at more risk.”
Some developers reacted caustically to Apple’s mistake, which comes soon after popular mobile game Fortnite was pulled from the Apple Store following a licensing dispute.
Thomas Reed, a Mac security expert from Malwarebytes, offers his perspective on the attack here.
Nota bene
Notarization was unveiled at Apple’s WWDC conference in 2019. In macOS Catalina, software that is not notarized is prevented from running (at least without requiring users to jump through some hoops).
Apple has not disclosed how the notarization process works but approvals are granted within minutes, suggesting the process is automated.
“It’s entirely possible that something in this code, somewhere, was modified to break any detection that Apple might have had for this adware,” Reed speculates.
“Either Apple was able to detect Shlayer as part of the notarization process, but breaking that detection was trivial, or Apple had nothing in the notarization process to detect Shlayer, which has been around for a couple years at this point.”