Apple’s much-celebrated security system has been found to have mistakenly authorized a Mac malware campaign, allowing it to run free on macOS devices.
Since February, Apple has required all applications running on macOS (including apps sourced from outside the official Mac App Store) to be fully vetted before a user can run the executable file.
However, a Shlayer adware campaign managed to circumvent these tightened security filters, despite remaining largely identical to previous known strains.
Apple has long enjoyed a reputation as manufacturer of the most secure devices around, which have been described as immune to the various cyberthreats facing Windows OS.
However, while it is technically true that malware designed to target Windows devices cannot run on macOS, Apple devices can still be vulnerable to similar threat types.
In this instance, attackers targeted macOS devices with Shlayer adware, designed to intercept browser queries and feed its own ads into search results, generating significant sums in revenue for its operators.
The Mac malware was previously found to be distributed by over 1,000 websites, each of which disguised the download in a slightly different fashion. At its peak, Shlayer was reportedly present on 10% of all Mac computers.
This latest malware campaign was discovered by college student Peter Dantini, who happened across a Shlayer download hosted on a fake Adobe Flash landing page. He was surprised to learn that macOS did not intervene when he deliberately attempted to activate the download, as it is designed to do.
Dantini passed his discovery over to security researcher Patrick Wardle – who recently identified a bug sequence that could be used to hijack Mac devices – to investigate further and liaise with Apple.
“I had been expecting that if someone were to abuse the notarization system it would be something more sophisticated or complex,” said Wardle.
“But in a way I’m not surprised that it was adware that did it first. Adware developers are very innovative and constantly evolving, because they stand to lose a ton of money if they can’t get around new defenses.”
Apple was notified of the issue on August 28 and claims to have withdrawn the malware’s notarization certificate on the same day.
“Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allow us to respond quickly when it’s discovered,” said the firm.
“Upon learning of this adware, we revoked the identified variant, disabled the developer account and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe.”
However, Wardle found that Shlayer was still alive and kicking two days later, notarized using a different Apple Developer ID. It is currently unclear how Shlayer continues to deceive the application vetting process.