Aurich Lawson / Getty Images
When could Apple malware protection pose a higher user risk than none at all? When a trojan is certified as safe even though it sticks out like a sore thumb and is one of the greatest threats on the macOS platform.
The world got this object lesson the weekend after Apple imprimatured the latest examples of "Shlayer," the name of a Trojan that has been one of the most prolific – if not the most prolific – pieces of Mac malware for more than two years had years. The seal of approval was given in the form of a notarization mechanism introduced by Apple in macOS Mojave to, as Apple put it, "give users more confidence" that the app they installed was "checked by Apple for harmful components".
With the introduction of macOS Catalina, authentication became a requirement for all apps. Unless installed using methods not mentioned by Apple (more on that later), an un-notarized app generates the following notice that it "cannot be opened because Apple cannot scan it for malicious software".
Classic Shlayer … with a big difference
On Friday, student Peter H. Dantini discovered that Homebrew (.) Sh – a demolition of the legitimate homebrew site Brew.sh – was releasing a fake Adobe Flash update and warning users that their current version was missing the latest security updates.
It was a classic Shlayer campaign that resembled hundreds or thousands of previous campaigns that also used fake Flash updates to infect users with adware, with one major difference: the Trojan was notarized by Apple. Patrick Wardle, security researcher at the enterprise management firm Jamf for MacOS and iOS, believes this is the first malware to receive the notarized "seal of approval".
Wardle notified Apple of the mistakenly notarized file Friday, and the company quickly revoked the certification, preventing the Trojan from infecting current Macs. On Sunday, Wardle said, he found that the website was providing new malicious payload that had been re-notarized by Apple.
"Unfortunately, a system that promises trust but does not deliver can ultimately increase user risk," Wardle wrote in a post. "How? If Mac users go along with Apple's claims, they'll probably trust any notarized software. This is extremely problematic as known malicious software (like OSX.Shlayer) already (trivially?) Receive such a certification!"
Antivirus vendor Malwarebytes also said, "Unfortunately, it looks like authentication means less security and more security."
In defense of authentication
In a statement, Apple employees wrote, "Malicious software is constantly changing, and Apple's notary system helps us keep malware off the Mac and allows us to react quickly if it is detected. After learning about this adware, we have that Revoke the identified variant, deactivate the developer account and revoke the associated certificates. We thank the researchers for their support in the safety of our users. "
In Apple's defense, it has always been clear to the company that notarization is an automated system that scans your software for malicious content, checks for code-signing issues, and sends the results back to you quickly. Hence, Apple never presented it as a comprehensive security review.
Another point for Apple: When Dantini discovered the malware and Wardle reported it, the sample did not find any detections for Virus Total, Alphabet's proprietary malware scanning service that summarizes the results from more than 60 AV providers. Additionally, Google's Play Store regularly allows malicious apps, even though the bouncer service is supposedly looking for nefarious activity.
And even if authentication prevents an app from installing normally, it's not that difficult to bypass the mechanism. As shown in the screenshot below, non-notarized versions of Shlayer, courtesy of Malwarebytes, have long shown markers with a custom background instructing them to right-click on a disk image file instead of double-clicking it as usual , and then select Open.
The malware is now installed.
Toothless … and a pain to use
At the same time, and as Andrew Cunningham, now a freelance reviewer for Ars, noted last year, authentication is a burden for both users and developers. Presumably, Apple has commissioned the previously introduced protection for the code signature, in which developers must authenticate their apps with a cryptographic certificate issued by Apple. If the service made users safer, you may have a good argument that it is worth the inconvenience. It is more difficult to make this point if the new feature gives users a false sense of security.
Authentication looks especially toothless if that particular malware family is not detected. As Kaspersky Lab reported in January, Shlayer has been the biggest threat to macOS for about two years and made up about 30 percent of all detections on the operating system in 2019. Shlayer goes way beyond the annoyance of adware, too. For example, the malware decrypts and reads all encrypted HTTPS traffic after using click-jacking techniques to trick users into installing a self-signed cryptographic certificate. User IDs are also recorded.
Apple's mistake is even more difficult to understand when it comes to files as found on Friday and Sunday.
"It was a fake Flash Player update … with the Adobe symbol and everything … that was of course not signed by Adobe," Wardle told me in an online chat. "You would have thought that this was a big red flag that Apple would just block anyway, like um, anything masquerading as a 'Flash' update … yah, no, notarized, because who cares what it does (i.e. what malware / adware it is) obv. it's wrong / malicious. "
Updated to add the penultimate paragraph.