Apple-notarized malware foils macOS defenses

Shlayer adware creators have found a way to get their malicious payload notarized by Apple, allowing it to bypass anti-malware checks performed by macOS before installing any software.

What is Apple Notarization?

Apple uses a number of technologies to prevent malware from being offered for download on the App Store and from being run on Apple-developed devices:

• App Review: Apps are reviewed by Apple before being published on the App Store, and have to comply with specific guidelines to get accepted
• Code Signing: Developers sign their apps with a developer certificate issued by Apple to assure users that it is from a known source and the app hasn’t been modified since it was last signed. The macOS Gatekeeper verifies the developer certificate and checks the known-malware list when the application is first opened, and blocks the app from running if its known malware or if it doesn’t recognize the developer (certificate)
• Notarization: An automated check that scans software for malicious content and checks for code-signing issues. If the package passes the check, it gets a ticket that proves notarization has been successful and the ticket “tells” Gatekeeper that Apple notarized the software, i.e., that is effectively safe to run it.

Apple Notarization is a relatively new security mechanism that, in theory, should detect malicious software and prevent it from being installed on a macOS system. But, as it turns out, it’s not foolproof.

Notarized macOS malware

The first known instance of notarized macOS malware was discovered last week, by a college student who noticed that people who want to download Homebrew (downloadable from brew.sh) and make the mistake of entering the wrong URL (homebrew.sh) are getting served with a warning saying their Adobe Flash Player is out of date and offering an update for download.

Security researcher Patrick Wardle analyzed the served package and confirmed that it is not, in fact, an update, but a notarized version of the macOS Shlayer adware, which doesn’t get detected as malicious by Gatekeeper.

This particular variant of this common adware would be detected by various third-party antivirus applications, but there are still many macOS users that don’t run one as they believe that Macs can’t get malware.

How is this possible?

“We’re still not exactly sure what the Shlayer folks did to get their malware notarized, but increasingly, it’s looking like they did nothing at all,” said Apple security expert Thomas Reed, who compared the code of the notarized and that of an older (not notarized) Shlayer sample and spotted minor changes.

“It’s entirely possible that something in this code, somewhere, was modified to break any detection that Apple might have had for this adware. Without knowing how (if?) Apple was detecting the older sample, it would be quite difficult to identify whether any changes were made to the notarized sample that would break that detection,” he pointed out.

“This leaves us facing two distinct possibilities, neither of which is particularly appealing. Either Apple was able to detect Shlayer as part of the notarization process, but breaking that detection was trivial, or Apple had nothing in the notarization process to detect Shlayer, which has been around for a couple years at this point.”

Wardle notified Apple about the notarized Shlayer adware on August 28 and they revoked the used notarization certificates immediately. Two days later, though, the adware delivery campaign was still going strong: it was serving another Shlayer sample that had been notarized with another Apple Developer ID.

“The attackers’ ability to agilely continue their attack (with other notarized payloads) is noteworthy. Clearly in the never ending cat & mouse game between the attackers and Apple, the attackers are currently (still) winning,” Wardle commented.

Reed pointed out that notarizing malicious software is just one of the ways adware distributors are trying to bypass macOS and user defenses.

“We’re seeing quite a few cases where malware authors have stopped signing their software, and have instead been shipping it with instructions to the user on how to run it,” he explained.

“The malware comes on a disk image (.dmg) file with a custom background. That background image shows instructions for opening the software, which is neither signed nor notarized.”