Mac malware slips through Apple notarization process

By

Mac malware is real. Watch out.
Even Macs can get hit with malware. Especially when Apple notarizes it!
Graphic: Ed Hardy/Cult of Mac

Apple reportedly slipped up and notarized some malware. This allows the ill-behaved software to be installed on Macs.

Preventing the spread of malware is exactly why Apple insists Mac apps to be notarized, so it’s not clear how this malicious software got Apple’s approval.

Mac apps are notarized for your protection

Apple requires all Mac apps to be checked before they’ll run on macOS Catalina. The process is called notarization. If a user tries to install un-notarized software on their computer, they get a pop-up warning, and are given just two options for the offending app: “Move to Trash” and “Cancel.”

But security researcher Patrick Wardle from Jamf reports that a user ran into Mac malware that was notarized by Apple. The user accidentally visited homebrew.sh when they meant to go to brew.sh. On the false site, they were hit with a fake warning that Adobe Flash was out of date on his computer — a very typical attempt to get malware installed.

Ordinarily, Apple’s requirement that software be notarized would have prevented the malware from being installed. Not this time.

Apple accidentally notarized OSX.Shlayer Mac malware

In his own tests, Wardle found that the adware from the fake site had been notarized. Further testing found that it’s a version of OSX.Shlayer. This is a very common Trojan horse — perhaps the most common Mac malware.

It installs the Bundlore adware without the user being aware. In the past, Bundlore has been used to bombard users with pop-up ads, track users around the Internet, and more.

Wardle reported what he’d discovered, and Apple rescinded its notarization for this malware. However, the security researcher reports that as of Sunday homebrew.sh was still hitting unsuspecting users with a slightly different version of the Mac malware that’s also notarized.

It’s not known how such well-known malicious adware as OSX.Shlayer got approved in Apple’s process that’s designed to screen out exactly this sort of attack on users’ Macs. Until the problems are worked out, extra caution about installing Mac software off the internet seems warranted.