Apple has on at least two occasions mistakenly approved and notarized an app containing a common type of malware.
Apple requires developers to submit their apps for security checks to run on a macOS machine. The process is called “notarization.” If software is not notarized it will be blocked from running by default in macOS. Notarization has been required since the launch of macOS Catalina, last year.
TechCrunch tells us about it:
The process, which Apple calls “notarization,” scans an app for security issues and malicious content. If approved, the Mac’s in-built security screening software, Gatekeeper, allows the app to run. Apps that don’t pass the security sniff test are denied, and are blocked from running.
But security researchers say they have found the first Mac malware inadvertently notarized by Apple.
Peter Dantini, working with well-known Mac security researcher Patrick Wardle report finding a trojan malware app disguised as an Adobe Flash installer. The code had been notarized by Apple and would run on a Mac when normally, such processes would be blocked.
The app contained “Shlayer” malware, which is ranked as the “most common threat” to Macs in 2019. Shlayer is a type of adware, intercepting encrypted web traffic, even from securely-encrypted HTTPS-enabled websites, and replacing it with its own ads to fraudulently raise ad revenue.
Given that the malware code is common, it is surprising that Apple missed it when the malicious code was submitted for notarization. When Apple was notified by Dantini and Wardle, they immediately revoked the app’s notarization.
“Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allow us to respond quickly when it’s discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe,” an Apple spokesperson told TechCrunch.
Despite that, the researchers have discovered another malware trojan that the bad guys were able to receive Apple notification for. That second bit of malware was still carrying the Apple seal of approval as of yesterday.
This isn’t the first bit of malware-related bad news for Apple in August, as earlier in the month, a new form of Mac malware, which can “command and control” a targeted computer and is injected into Xcode projects was discovered by security researchers at Trend Micro.