Security News > 2020 > September > Apple-notarized malware foils macOS defenses

Shlayer adware creators have found a way to get their malicious payload notarized by Apple, allowing it to bypass anti-malware checks performed by macOS before installing any software.
The first known instance of notarized macOS malware was discovered last week, by a college student who noticed that people who want to download Homebrew and make the mistake of entering the wrong URL are getting served with a warning saying their Adobe Flash Player is out of date and offering an update for download. Security researcher Patrick Wardle analyzed the served package and confirmed that it is not an update, but a notarized version of the macOS Shlayer adware, which doesn't get detected as malicious by Gatekeeper.
"We're still not exactly sure what the Shlayer folks did to get their malware notarized, but increasingly, it's looking like they did nothing at all," said Apple security expert Thomas Reed, who compared the code of the notarized and that of an older Shlayer sample and spotted minor changes.
"It's entirely possible that something in this code, somewhere, was modified to break any detection that Apple might have had for this adware. Without knowing how Apple was detecting the older sample, it would be quite difficult to identify whether any changes were made to the notarized sample that would break that detection," he pointed out.
Two days later the adware delivery campaign was still going strong: it was serving another Shlayer sample that had been notarized with another Apple Developer ID. "The attackers' ability to agilely continue their attack is noteworthy. Clearly in the never ending cat & mouse game between the attackers and Apple, the attackers are currently winning," Wardle commented.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/L55a_KYcb7c/
Related news
- XCSSET macOS malware returns with first new version since 2022 (source)
- Microsoft spots XCSSET macOS malware variant used for crypto theft (source)
- Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics (source)
- The XCSSET info-stealing malware is back, targeting macOS users and devs (source)
- New FrigidStealer Malware Targets macOS Users via Fake Browser Updates (source)
- Seven Malicious Go Packages Found Deploying Malware on Linux and macOS Systems (source)
- Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices (source)