Home / Technology / Apple’s automated notarization process incorrectly approved Mac malware

Apple’s automated notarization process incorrectly approved Mac malware

Security researchers have found that the notarization process for Apple’s macOS app falsely approved malware disguised as a Flash installer.

Apple urges Mac app developers – also outside the App Store – to submit apps for certification in order to check them for security problems and malicious code. If they fail the authentication, Gatekeeper will block apps.

However, macOS security researcher Patrick Wardle and Twitter user Peter Dantini have discovered that at least some of the malicious code appears to have slipped through Apple’s security measures.

On Friday, Dantini noticed that an adware campaign for Flash installers actually contained malicious code that had been notarized by Apple. This authentication ensures that the installation program is not blocked by the integrated gatekeeper security function. When a user clicks on it, the installer simply runs and delivers its payload to a system.

Wardle confirmed that the approved code contained in the malware was used by the Shlayer adware which is considered to be the biggest malicious threat to Mac users. Shlayer intercepts web traffic and replaces ads with its own, fraudulently making money for operators.

As pointed out in his blog post, Wardle says the approval is “a first”. For its part, Apple has said that authentication is not an app review. It’s a much faster and automated process that checks for malware or code signature problems.

Basically, Apple’s notary process was unable to detect the malicious code during transmission. In fact, the malware has been approved to run on Mac devices, including beta versions of macOS Big Sur.

Apple revoked the malware’s certification after Wardle held out a hand. In a statement too TechCrunchApple applauded Wardle’s efforts.

“Malicious software is constantly changing, and Apple’s notary system helps us keep malware off the Mac and react quickly if it is detected. In learning about this adware, we revoked the variant we identified, disabled the developer account, and revoked its certificates. We thank the researchers for helping us keep our users safe. “

As Apple admits, malware is constantly changing – so bad actors are likely to re-submit malicious payloads to Apple’s notary process. Wardle said that at least some of these payloads could be notarized.

Source link