Security News > 2020 > September > Apple-notarized malware foils macOS defenses

Shlayer adware creators have found a way to get their malicious payload notarized by Apple, allowing it to bypass anti-malware checks performed by macOS before installing any software.

The first known instance of notarized macOS malware was discovered last week, by a college student who noticed that people who want to download Homebrew and make the mistake of entering the wrong URL are getting served with a warning saying their Adobe Flash Player is out of date and offering an update for download. Security researcher Patrick Wardle analyzed the served package and confirmed that it is not an update, but a notarized version of the macOS Shlayer adware, which doesn't get detected as malicious by Gatekeeper.

"We're still not exactly sure what the Shlayer folks did to get their malware notarized, but increasingly, it's looking like they did nothing at all," said Apple security expert Thomas Reed, who compared the code of the notarized and that of an older Shlayer sample and spotted minor changes.

"It's entirely possible that something in this code, somewhere, was modified to break any detection that Apple might have had for this adware. Without knowing how Apple was detecting the older sample, it would be quite difficult to identify whether any changes were made to the notarized sample that would break that detection," he pointed out.

Two days later the adware delivery campaign was still going strong: it was serving another Shlayer sample that had been notarized with another Apple Developer ID. "The attackers' ability to agilely continue their attack is noteworthy. Clearly in the never ending cat & mouse game between the attackers and Apple, the attackers are currently winning," Wardle commented.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/L55a_KYcb7c/