Apple has some of the strictest rules. This makes it capable of properly policing its platform, better than others in the competition.
But that does not mean that Apple is immune to flaws. In the case of the Mac, Apple accidentally approved one of the most common malware threat to run on even the most recent macOS Catalina. While Apple quickly fixed the first breach, another similar one popped up.
The two problems happened during the 'notarization' process,
In 2019, Apple started requiring developers to submit their apps for security checks, where Apple scans the apps for security issues and malicious content.
If approved, those apps would pass Mac's in-built security screening software, Gatekeeper, and allowed the app to run in Macs unhindered. And if disapproved, the app won't pass Gatekeeper, and will be blocked from running.
And here, security researchers say they have found the first Mac malware inadvertently notarized by Apple.
Peter Dantini working with Mac security researcher Patrick Wardle, found a malware campaign disguised as an Adobe Flash installer.
These campaigns are so common that they have been around in the world for years. Even when Flash is now rarely used and is already considered an outdated technology, the campaign still hunts for potential victims. In Macs, these malicious campaigns run on unnotarized code, making Macs to block them immediately when opened.
However, Dantini and Wardle found that one malicious Flash installer had its code notarized by Apple, making it capable of running on Macs.
The approved code used the popular Shlayer malware, a kind of adware that intercepts encrypted web traffic - even from HTTPS-enabled sites. It can also replace ads on websites and search results with its own ads, earning the operators fraudulent ad money.
"As far as I know, this is a first," Wardle wrote in a blog post.
When Apple realized that it accidentally accepted the malware after Wardle reached out to the company, Apple removed it as soon as it can to prevent the malware from running on Macs in the future.
"Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allow us to respond quickly when it’s discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe,” said a spokesperson for Apple.
But Wardle said that the attackers were back soon after with another new, notarized payload. The attacker was again capable of circumventing Apple's notarization security.
In a followup, Apple said that both the old and new malware had their notarization revoked.
It should be noted that iOS is considered a more locked down ecosystem because all apps need to be downloaded through Apple's App Store. In contrast, Mac users can download apps from both the App Store, as well as anywhere else on the web.
This makes the macOS ecosystem less secure, and the reason why notarization is needed.
Notarization, according to Apple's documentation page, "is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly."
Apple recommends all developers to notarize all of the software that they’ve distributed, including older releases, and even software that doesn’t meet all of these requirements or that is unsigned.