Apple accidentally approved a common malware disguised as an update for Adobe Flash Player and allowed it to run on macOS, according to a new report.
Cyber-security researchers, Patrick Wardle and Peter Datini discovered that Apple approved an app as an update for Adobe Flash installer that contained code used by a well-known common malware called Shlayer.
Shlayer is a trojan downloader that spreads via fake applications hiding its malicious code, and flooding users with an influx of adware that are often difficult to get rid of.
Even cybersecurity and anti-virus firm Kaspersky said in 2019 that Shlayer Trojan is the “most common threat” to Macs.
In 2019, Apple announced the notarizing process in macOS 10.15 (Catalina), which requires every app to be reviewed by the Cupertino giant, and signed by a developer before it can run on macOS, even if they are being distributed outside the Mac App Store.
As part of the process, Apple’s in-built security screening software called “Gatekeeper” scans every Mac app to identify possible security issues and malicious code. Only the apps that pass the screening process are allowed to run, while the remaining are blocked.
According to Wardle, this is the first time that Apple had mistakenly notarized malware after the debut of its new notarization process. This means that Apple couldn’t detect the malicious code when it was submitted for approval.
Following the discovery of the malware, Wardle informed Apple about the same. The company disabled the developer account associated with the app and revoked its certification on August 28.
However, on August 30, the adware campaign was still live and serving up a new notarised payload.
“Both the old and ‘new’ payload(s) appears to be nearly identical, containing OSX.Shlayer packaged with the Bundlore adware,” said Wardle. “However the attackers’ ability to agilely continue their attack (with other notarized payloads) is noteworthy. Clearly in the never-ending cat and mouse game between the attackers and Apple, the attackers are currently (still) winning.”
On August 31, Apple went ahead and revoked these new notarized payloads.
“Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allow us to respond quickly when it’s discovered,” an Apple spokesperson told TechCrunch.
“Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe.”