More and more macOS and iOS malware threats pop up, targeting your credentials, banking details, and personal information.
Table of Contents
What is Apple’s Notarization Process?
Apple's notarization process is an automated procedure that requires developers to submit software they built for the macOS so that it can be scanned for malicious code.
If the software passes the check, macOS Gatekeeper – security software that prevents unauthorized software from running – will allow the application to run on the OS.
Figure 1: Blocked Uncertified Application
This is a screenshot of a successfully blocked app that did not pass the notarization process. Source: Patrick Wardle via Objective-see.com
Apple says that this procedure gives their customer confidence that the software they run "doesn't contain known malware."
However, Peter Dantini, a college student, accidentally discovered malware that can bypass Apple's certification procedure.
A security feature that failed to protect
Last August, Peter Dantini noticed that the website for Homebrew, an open-source software package management system, was redirecting visitors to a web page saying that Adobe Flash Player. The landing page was an obvious trap for Dantini, who was well aware that the provided download is not legitimate. As Apple's security is developed to stop precisely such threats, the student decided to click on the link and see what will happen.
Figure 2: Fake Adobe Flash Player Download Website
In this image, we can see the craftly-created pop-us prompting the users to download fake Adobe Flash Player updates. Source: Patrick Wardle via Objective-see.com
However, as Dantini discovered, Apple's protection is not flawless. The fake Flash Player website provided a download link for an installer that bypassed the security feature. The payload had a notarized code under a developer ID belonging to one Darien Watkins.
Dantini contacted Patrick Wardle, a principal security researcher at Jamf, who confirmed that the installer is infected with Shlayer, a common macOS malware. On August 28, the researcher notified Apple, who revoked the certificate of the malicious app on the same day.
On August 30, Wardle had to, once again, notify Apple about the sneaky malware after he found another Shlayer-infected app, signed with a different Apple Developer ID.
"Both the old and 'new' payload(s) appears to be nearly identical, containing OSX.Shlayer packaged with the Bundlore adware. However the attackers' ability to agilely continue their attack (with other notarized payloads) is noteworthy," Wardle said in a blog post.
What is Shlayer?
Shlayer is a common macOS malware, which has been active for years. It was first spotted in February 2018 by Intego's research team, who observed the threat being distributed as a part of a malware campaign that used fake Adobe Player installers.
Last year, Carbon Black's Threat Analysis Unit observed a variant of Shlayer to escalate privileges and disable the Gatekeeper protection mechanism to run unsigned second-stage payloads.
According to Kaspersky's telemetry, the threat was behind 29% of all Mac attacks. A new Kaspersky report from January 2020 reveals that the malware is still quite active, being responsible for 10% of all Mac attacks, which that's bad news for the victims.
Once Shlayer infects a Mac, it will proceed to infect the victim's computer further. This threat's goal is to install multiple browser extensions and plug-ins that will flood the victims with various advertisements.
Conclusion
Although Shlayer is not as advanced and dangerous as the more sophisticated banking and credential-stealing trojans, it is a warning to all users who ignore their cybersecurity hygiene. Cybercriminals work hard to reach as many users as possible.
Security experts advise caution. Don't visit shady websites. Don't follow questionable pop-ups and ads. And, of course, download updates from official sources only.
Leave a Reply
Thank you for your response.
Please verify that you are not a robot.