One of the key components of Apple’s product security strategy is a requirement that developers sign their apps and submit them to Apple for approval and code-scanning before they’re allowed to appear in the iOS or macOS app stores. The idea is to prevent people from mistakenly installing malicious or dodgy apps, but sometimes things still slip through, and recently an app containing a notorious piece of malware found its way into the macOS store and was notarized by Apple.
The malware, known as OSX Shlayer, was carried as a payload as part of an adware campaign that was carried out on a site that was masquerading as the project page for an open source project called Homebrew. Visitors to the fake site were sent through a series of redirects and eventually shown a popup saying that their version of Flash was out of date and they needed to download the new version to proceed. It’s an old tactic used by malicious site operators and exploit kits to trick people into installing malware, and it’s been effective for many years. And this is one of the attack vectors that Apple’s app notarization system is designed to cut off by preventing unsigned and un-notarized apps from being installed.
But in this case the app that downloads is notarized by Apple, meaning victims’ machines will trust it and allow it to run. A visitor to the fake site, Peter Dantini, noticed what was going on and sent the details to Patrick Wardle, a prolific Apple security researcher and principal security researcher at Jamf, who dug in to see what was happening with the downloaded app. Wardle found that the adware downloads and installs four separate packages, comprising the Shlayer malware that targets Macs. Shlayer has been circulating for a while and is known to masquerade as Adobe Flash Player updates. It’s mainly used to serve unwanted ads to victims but can also steal information.
“As far as I know, this is a first: malicious code gaining Apple’s notarization ‘stamp of approval’,” Wardle said in his analysis of the incident.
“In Apple’s own words, notarization was supposed to ‘give users more confidence that [software] …has been checked by Apple for malicious components.’ Unfortunately a system that promises trust, yet fails to deliver, may ultimately put users at more risk. How so? If Mac users buy into Apple’s claims, they are likely to fully trust any and all notarized software. This is extremely problematic as known malicious software (such as OSX.Shlayer) is already (trivially?) gaining such notarization!”
Wardle reported the issue to Apple on Aug. 28, and the company revoked the code-signing certificate for the developer. However, later that day the developer used a new certificate to sign new payloads.
“Both the old and ‘new’ payload(s) appears to be nearly identical, containing OSX.Shlayer packaged with the Bundlore adware. However the attackers’ ability to agilely continue their attack (with other notarized payloads) is noteworthy,” Wardle said.