Apple accidentally approved a common malware disguised as an update for Adobe Flash Player and allowed it to run on macOS, according to a new report.
Cyber-security researchers, Patrick Wardle and Peter Datini discovered that Apple approved an app as an update for Adobe Flash installer that contained code used by a well-known common malware called Shlayer.ย ย
Shlayer is a trojan downloader that spreads via fake applications hiding its malicious code, and flooding users with an influx of adware that are often difficult to get rid of.
Even cybersecurity and anti-virus firm Kasperskyย saidย in 2019 that Shlayer Trojan is the โmost common threatโ to Macs.
In 2019,ย Apple announced the notarizing processย in macOS 10.15 (Catalina), which requires every app to be reviewed by the Cupertino giant, and signed by a developer before it can run on macOS, even if they are being distributed outside the Mac App Store.ย
As part of the process, Appleโs in-built security screening software called “Gatekeeper” scans every Mac app to identify possible security issues and malicious code. Only the apps that pass the screening process are allowed to run, while the remaining are blocked.
According to Wardle, this is the first time that Apple had mistakenly notarized malware after the debut of its new notarization process. This means that Apple couldnโt detect the malicious code when it was submitted for approval.
Following the discovery of the malware, Wardle informed Apple about the same. The company disabled the developer account associated with the app and revoked its certification on August 28.
However, on August 30, the adware campaign was still live and serving up a new notarised payload.ย
โBoth the old and โnewโ payload(s) appears to be nearly identical, containing OSX.Shlayer packaged with the Bundlore adware,โ said Wardle. โHowever the attackersโ ability to agilely continue their attack (with other notarized payloads) is noteworthy. Clearly in the never-ending cat and mouse game between the attackers and Apple, the attackers are currently (still) winning.โ
On August 31, Apple went ahead and revoked these new notarized payloads.ย
“Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allow us to respond quickly when it’s discovered,โ an Apple spokesperson told TechCrunch.
“Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe.โ