Apple certified known malware!

M.Sc. Jan Hörnemann

Apple certified known malware!

Actually, the purpose of Apple’s notarization service is to protect Mac users from malware. But now it has become known that exactly this notarization service has certified software that contained the well-known malware “Shlayer”.

Security system fails and certifies Shlayer

In macOS version 10.15 Catalina and the upcoming version 11 Big Sur the malware installer is not blocked, but can be opened easily. Only the question of whether macOS should download the software, since this is from the Internet, remains, but all Mac users know this message, because it appears as soon as you want to download a software.

Malware Download
Only the warning that the software is downloaded from the internet is displayed when downloading the malware.

The danger is obvious, because since this message is displayed with every download, even of secure software, users do not expect malware. Actually, Apple tries to prevent malicious software from being downloaded at all through the notarization service. However, unknown persons have submitted the software with the Shlayer malware to Apple for notarization and have actually received it.

The error is obviously the fault of Apple’s notarization service, since this instance has certified damaging software and thus theoretically made it available to all Mac users. The way in which the unidentified persons actually managed to have the malicious software authenticated is somewhat more complicated. Camouflaged in an Adobe Flash Player update, the malware was spread via the well-known package manager Homebrew, detailed steps were explained by the security researcher Patrick Wardle.

Despite reaction malware is accessible in Apple

After this vulnerability was tweeted by Patrick Wardle at the end of August and thus published, Apple reacted by withdrawing the signature and notarization for the malicious software. But just 2 days after Apple reacted, a new malware campaign has been sighted, with a new signature and notarization by Apple. When asked by Techcrunch, Apple explained that malware is constantly changing. The notarization system should help to keep malware away from all Macs.

Apple’s notarization is now mandatory, meaning that programs outside the App Store must be submitted for notarization so that they can be downloaded by the operating system. This is to protect all Mac users from malware, as all accessible programs must have already been checked.

The fact that errors can occur during this notarization process is normal, but nevertheless very serious. As already mentioned, Mac users assume that the software has been checked and is therefore safe when downloading. However, if an error occurs, many users download malware without thinking about it.

The same may have happened with the Shlayer Trojan, which some users downloaded. This clever malware delivers adware that can manipulate search queries in the browser, for example. In principle, you can trust Apple’s notarization service, but before you download anything from the Internet, you should take a quick look to see if this software is associated with Apple and malware. The easiest way to find out if such a connection exists is a simple search query on the Internet.

Photo of author

M.Sc. Jan Hörnemann

Hello dear reader, my name is Jan Hörnemann. I am a TeleTrust Information Security Professional (T.I.S.P.) and have been dealing with information security topics on an almost daily basis since 2016. CeHv10 was my first hands-on certification in the field. With a Master of Science degree in Internet Security, I have learned about many different aspects and try to share them in live hacking shows as well as on our blog. In addition, I am active as an information security officer and have been qualified by TÜV for this activity (ISB according to ISO 27001)