MacOS is thought of as more secure than Microsoft’s Windows, but the amount of malware targeting Apple’s operating system is growing. Apple has taken steps to mitigate malware on macOS through a process called notarization—but even this can be bypassed by new and improved adware, a security researcher has discovered.
The adware campaign uses notarized malware, meaning it was scanned and “approved” by Apple and will run on Catalina and BigSur, security researcher Patrick Wardle has found. “As far as I know, this is the first time hackers have been able to abuse Apple’s new notarization,” Wardle told me.
Adware on macOS can be dangerous
Adware might not sound as scary as other malware—on the surface it simply delivers unwanted ads to victims—but it can still be pretty dangerous. As Wardle points out in his blog, security researcher Thomas Reed revealed in a recent write up how adware and PUPs can actually be far more invasive and dangerous on the Mac than “real” malware.
“They can intercept and decrypt all network traffic, create hidden users with static passwords, make insecure changes to system settings, and generally dig their roots deep into the system so that it is incredibly challenging to eradicate completely.”
Apple’s notarization explained
So what is this notarization process that Apple designed to stop malware such as adware reaching macOS users, and what’s wrong with it?
Apple introduced notarization requirements in macOS 10.15 (Catalina), requiring developers to submit their applications to Apple before distribution to macOS users. This ensures that Apple can inspect and approve all software before it is allowed to run on new versions of macOS.
“If software has not been notarized, it will be blocked by macOS, with no option to run it via the alert prompt,” Wardle explains, adding: “With the goal of stymieing the influx of malicious code targeting macOS, notarization seemed like a promising idea. Sadly, not all promises are kept.”
Wardle cites the example of Homebrew, hosted at brew.sh. On August 28, Twitter user Peter Dantini noticed that the website homebrew.sh (not to be confused with the legitimate Homebrew website brew.sh), was hosting an active adware campaign.
If a user inadvertently visited homebrew.sh, after various redirects an update for “Adobe Flash Player” would be aggressively recommended.
These types of campaigns usually use un-notarized code, so are stopped in their tracks. However, the campaign originating from homebrew.sh leveraged adware payloads that were fully notarized.
That means the malicious payloads were submitted to Apple, prior to distribution: Apple scanned and apparently detecting no malice, inadvertently notarized them. In addition, these malicious payloads are allowed to run—even on macOS Big Sur.
The notarized payloads appear to be the OSX.Shlayer malware, Wardle discovered. OSX.Shlayer could be the most prevalent malware infecting macOS systems, Kaspersky says—and the ultimate goal of OSX.Shlayer is to download and persistently install macOS adware.
Adding to this, OSX.Shlayer is clever, and has quickly evolved, finding ways to bypass macOS security mechanisms. “As such, it not too surprising that this insidious malware has continued to evolve to trivially side-step Apple’s best efforts,” Wardle concedes.
Taking this into account, he warns users against trusting all notarized Apple software.
Wardle reported his findings to Apple, which quickly revoked the certificates, rescinding their notarization status so malicious payloads will now no longer run on macOS. However, says Wardle: “The fact that known malware got notarized in the first place raises many questions.”
And worryingly, Wardle later found the campaign is back up and running—on August 30 the adware campaign was still live and serving up new payloads. “Unfortunately these new payloads are (still) notarized, which means even on Big Sur, they will (still) be allowed to run.”
Apple sent me a statement over email, which reads: “Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allows us to respond quickly when it’s discovered.
“Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe.”
Your best defense is yourself
Sean Wright, Immersive Labs’ lead of application security, SME says he’s “never been a firm believer” in Apple’s approach to vetting apps. “While I can see where they coming from, the sheer volume and complexity means they’ll unlikely do a thorough job vetting every app and it’s not surprising to see many slipping through.”
Wright says notarization is “better than nothing” but it’s not an adequate security control. “Criminals are becoming increasingly smarter in the ways they are avoiding detection, making it more difficult to detect malicious software, especially when only using tooling to do so.”
Cybercriminals will keep evolving their methods, and it’s important that vendors such as Apple stay vigilant. But it’s also true to say you are your own best defense. Always check what you download, ensure you trust it, and try to only install apps that you need.