Despite Apple’s security guarantees, the company authorized a known malware to run on the Mac operating system, according to security researcher Patrick Wardle. Working with Mac user Peter Dantini, Wardle discovered that Apple accidentally approved a prevalent macOS malware disguised as a Flash Player Update. Additionally, the company allowed a newer variant of the malware to run on the platform, days after blocking the initial threat. This security lapse incident has led some security experts to question the effectiveness of Apple’s notarization process.
Apple software notarization process
Apple’s notarization process aims to guarantee the safety of Mac software by requiring developers to submit their apps for verification before distribution to the users. The company scans the software for dangerous code before allowing it to run on Macs. This process ensures that any software downloaded from both the Mac app store and third-party networks is safe by blocking macOS malware threats in advance. Apple introduced these new requirements on macOS 10.15 (Catalina) in June 2019 and made them mandatory by February 3, 2020.
Adware riskier on Macs than conventional threats
Macs face fewer viruses compared to the Microsoft Windows operating system. The perceived safety largely stems from operating system incompatibility between the two operating systems. However, the platform witnesses an increase in adware campaigns, capable of running on both Catalina and BigSur macOS versions. Many users erroneously believe that adware and PUP are nothing more than little inconveniences compared to real macOS malware. However, security researcher, Thomas Reed, discovered that Mac adware was occasionally riskier than the conventional macOS malware. Reed found that Mac adware could intercept and decrypt network traffic, create hidden user accounts, and modify system settings making it harder to remove them.
macOS malware circumvents Apple’s notarization process
Wardle pointed out that despite Apple’s promise to block macOS malware, threat actors were able to run adware campaigns on the macOS platform. Wardle explains how Dantini discovered a rogue Adobe Flash Player update hosted by the Homebrew (brew.sh) knockoff site, homebrew.sh. On visiting the site, Mac users were aggressively bombarded with the “update Adobe Flash player” notifications. However, the update contained the most prevalent macOS malware, the OSX.Shlayer. Additionally, the payload had a valid signing certificate and was officially notarized by Apple. According to Kaspersky Labs, the macOS malware download malicious content and installs adware on the host system, thus further compromising the system.
On discovering the irregularity, Wardle reported the macOS malware to Apple, which was quick to revoke the certificates and the application’s notarization status. However, Wardle noted that the site was serving a new variant of the macOS malware payload on August 30. Additionally, the new malware payloads were also notarized by Apple and could run on both Catalina and BigSur macOS versions.
Apple responds to the discovery of certified macOS malware
Apple released a statement saying that “Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac.” The company added that the notarization process allows it to respond quickly when threats were discovered. This new explanation was a far cry from the security guarantee that Apple promised the notarization process would provide.
James McQuiggan, a Security Awareness Advocate at KnowBe4, says that cybercriminals are determined to bypass the best security controls any company could deploy.
“While nothing is perfect, some organizations operate at a high level of security and privacy. With this vetting occurring with third-party software, the cybercriminals will throw everything possible to see what sticks. Like phishing attacks, cybercriminals are continually working to see what emails can get through organizations’ various technology products globally. When they find one that works, they use it. In this case, they most likely have tried hundreds of multiple malware applications, and to get through was a success for them. However, it was discovered and removed.”
He also notes that being the sole vendor of Mac’s hardware and operating system, Apple is in a better position to stop threats.
“By providing the hardware, software and the operating system, there’s an assurance for the ability to restrict access for programs and significantly reduce the risk of an attack.”
Apple also said that “learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates.”
Apple also thanked the “researchers for their assistance in keeping our users safe.”
McQuiggan advises apple to scale its vetting process for third-party apps to reduce the risk for organizations using its products.
“When working with third-party vendors, it’s essential that all products are vetted to be secure and do not present any risk to the organization. If a vulnerability is discovered, it should be quickly remediated to reduce any attack vectors available to cybercriminals.”
While Apple’s notarization process is necessary to prevent many rogue applications from sailing through, it’s hardly enough to guarantee the safety of all apps on the macOS platform, as Apple might have convinced its users to believe.