Security researchers have found that the notarization process for Apple’s macOS app falsely approved malware disguised as a Flash installer.
Apple urges Mac app developers – also outside the App Store – to submit apps for certification in order to check them for security problems and malicious code. If they fail the authentication, Gatekeeper will block apps.
However, macOS security researcher Patrick Wardle and Twitter user Peter Dantini have discovered that at least some of the malicious code appears to have slipped through Apple’s security measures.
On Friday, Dantini noticed that an adware campaign for Flash installers actually contained malicious code that had been notarized by Apple. This authentication ensures that the installation program is not blocked by the integrated gatekeeper security function. When a user clicks on it, the installer simply runs and delivers its payload to a system.
As pointed out in his blog post, Wardle says the approval is “a first”. For its part, Apple has said that authentication is not an app review. It’s a much faster and automated process that checks for malware or code signature problems.
Basically, Apple’s notary process was unable to detect the malicious code during transmission. In fact, the malware has been approved to run on Mac devices, including beta versions of macOS Big Sur.
Apple revoked the malware’s certification after Wardle held out a hand. In a statement too TechCrunchApple applauded Wardle’s efforts.
“Malicious software is constantly changing, and Apple’s notary system helps us keep malware off the Mac and react quickly if it is detected. In learning about this adware, we revoked the variant we identified, disabled the developer account, and revoked its certificates. We thank the researchers for helping us keep our users safe. “
As Apple admits, malware is constantly changing – so bad actors are likely to re-submit malicious payloads to Apple’s notary process. Wardle said that at least some of these payloads could be notarized.