Questions raised about Apple’s screening process
UPDATED Shortcomings in Apple’s newly introduced screening protocols have allowed “notarized” malware to slip past the tech giant’s approval process.
Apple mistakenly approved a strain of adware, an error which came to light after the malicious code appeared on the website Homebrew.sh, a counterfeit copy of the legitimate Homebrew package manager website (homw.sh).
The adware, which posed as an update for “Adobe Flash Player”, was only notable because it relied on malicious payloads that were fully notarized by Apple.
This trick was used in a campaign to distribute Shlayer, a well-known strain of macOS malware often associated with bombarding users of infected machines with unwanted ads.
The campaign was spotted by Twitter user Peter Dantini, who passed on his findings to Mac security expert Patrick Wardle.
The attack represents what’s thought to be the first time that malicious code has gained Apple’s notarization “stamp of approval”.
Some user interaction is still required to infect a device but the attack is nonetheless worrying since “due to their notarization status, users will (quite likely), fully trust these malicious samples”, Wardle warns in a blog post.
Apple responded promptly to reports of malfeasance by revoking the developer code-signing certificate abused in the Shlayer-slinging campaign.
Despite this, some signed (notarized) payloads containing OSX.Shlayer packaged with the Bundlore adware continued to circulate over the weekend.
“The attackers had multiple developer IDs - so they just switched/rotated to a new one,” Wardle told The Daily Swig. “Unfortunately, it’s pretty common for attacker to have access to such dev IDs.”
The only surprising element in the switch was that the attackers were able to get the (new) payload notarized on Friday and after the incident was reported, Wardle added
As of Tuesday, no new notarized payloads are circulating, and the attackers are back to the old(er) tricks, which involve telling the user how to manually get around notarization.
Who notarizes the notarizers?
The incident raises a number of uncomfortable questions.
According to Apple, notarization ought to “give users more confidence that [software]… has been checked by Apple for malicious components”.
Wardle warns: “Unfortunately a system that promises trust, yet fails to deliver, may ultimately put users at more risk.”
Some developers reacted caustically to Apple’s mistake, which comes soon after popular mobile game Fortnite was pulled from the Apple Store following a licensing dispute.
Thomas Reed, a Mac security expert from Malwarebytes, offers his perspective on the attack here.
Notarization was unveiled at Apple’s WWDC conference in 2019. In macOS Catalina, software that is not notarized is prevented from running (at least without requiring users to jump through some hoops).
Apple has not disclosed how the notarization process works but approvals are granted within minutes, suggesting the process is automated.
“It’s entirely possible that something in this code, somewhere, was modified to break any detection that Apple might have had for this adware,” Reed speculates.
“Either Apple was able to detect Shlayer as part of the notarization process, but breaking that detection was trivial, or Apple had nothing in the notarization process to detect Shlayer, which has been around for a couple years at this point.”
This story was updated to add comment from Patrick Wardle