Once an app is approved through the notarisation process, the in-built security software of Mac, called Gatekeeper, allows these apps to function.
Apple malware: Apple has always tried to be conscious about protecting user data and privacy and has put in place very stringent rules to ensure that no malicious app goes through, even as an app passes through the net once in a while. Last year, Apple made its rules even stricter and mandated developers to submit their apps so that Apple could scrutinise them and allow them to run on millions of Macs without any hindrance. This process has been termed ‘notarisation’ by Apple, and through it, all apps are checked for malicious issues and security issues.
Once an app is approved through the notarisation process, the in-built security software of Mac, called Gatekeeper, allows these apps to function. Meanwhile, the apps that do not clear the notarisation process are blocked.
However, now, security researchers have found the first malware for Mac that inadvertently cleared Apple’s notarisation process. The malware campaign, which was disguised as an Adobe Flash installer, was found by Peter Dantini, who was working with well-known Mac security researcher Patrick Wardle. While these malware campaigns have existed for years and are very common even if Flash is not used by many anymore, these campaigns run an unnotarized code which is immediately blocked by Mac. The malware that was found by the duo, however, had a notarised code which would run on Macs.
Wardle said that the code approved by Apple was used by Shlayer malware, which was the most common threat to Macs in 2019, according to security firm Kaspersky.
Shlayer is an adware and it intercepts web traffic that is encrypted, even from sites that are https-enabled, and replaces the websites as well as the search results with its own ads. This helps in making fraudulent ad money for the operators.
Wardle, in a blog post, wrote that as far as he knew, this was a first. Wardle added that this translated to Apple not detecting this malicious code and allowing it to run on Macs, including the unreleased beta version of Mac Big Sur.
Wardle added that once he reached out to Apple to report the issue though, the tech giant quickly revoked the certificate and rescinded the notarisation tag for the malware. Once the notarisation was revoked, however, Wardle noted that the attackers returned with more malicious code, which then Apple confirmed to TechCrunch had also been blocked.