Hackers Trick Apple's Famed Notarization Process to Install Malware on Macs

Buying code signing certificates for just $99, hackers tricked Apple's notarization process that failed to detect Shlayer adware

Apple's Mac OS is widely regarded as one of the secure platforms to use, at least that's what the company wants you to believe. If there were doubts about Mac's security, Apple tried to come up with a 'notarization' process to eliminate further risks. But as it seems, Mac is not really safe. As per security experts, Apple approved a malware to run on Mac.

The malware in question is a popular Adobe Flash-based malware. While Apple's notarization process is supposed to provide an extra layer of security, it has failed to detect the malicious code from running. Mac security researchers, Peter Dantini and Patrick Wardle first noticed the malware in the form of an Adobe Flash installer.

Adobe Flash is hardly used nowadays on both Mac and Windows platforms. Some that run are not certified by either operating system providers. On Macs, its notarization program immediately blocks such programs from running. But in this case, Apple had notarized the malware. So, it had no problems running on Macs.

Cyber Crime
Image for representational purpose

Apple's Notarization

In WWDC 2019, Apple launched app notarization that would scan software for malicious codes and until they are scanned, it would not run on Macs. It provides authentication to software through a cryptographic process. Also known as code signing, through notarization, developers can prevent its codes from being altered with malicious intent or can detect such modification.

Once a developer submits the software, it goes through an automated scan to check if it has any malware. If not, the software gets "notarized" or previously known as "code signed". In MacOS Catalina, non-notarized software are blocked from running with a dialogue box saying "Apple cannot check it for malicious software".

Tricks to Go Undetected

However, MacOS is still not sound in security. It also has flaws. Developers with malicious intent don't get the app/software notarized. Instead, they are providing the software with installation instructions. The other way, they are doing is outside App Store.

Without going through the notarization process, malware authors are buying a signing certificate from Apple for as less as $99. That certificate can be used to sign the code and Mac will not prevent it from running the software.

App Notarization
Apple's notarization process offers code signing to prevent malicious codes form going unchecked Apple

That the process of notarization takes just a minute or so and that automated process isn't completely sound enough to detect such threats. Developers used the code signing certificate to trick the notarization process and got the Shlayer Adware certified.

As per anti-virus software developer Kaspersky, Shlayer is the most common threat to Macs. It is a trojan downloader. When installed, it creates fake applications and spreads through them creating an influx of adware for the user. The malware can also intercept encrypted web traffic, including HTTPS certified websites, and alter the ads with fraud advertisements.

After Wardle detected the threat, he submitted a bug report to Apple and the company revoked the codesign certificates that neutralized the malware to some extent. However, Wardle told TechCrunch that malware authors were back with a different trick and could notarize a different payload.

Hidden inside the Adobe Flash, Shlayer adware was also code-signed for Apple's upcoming Big Sur MacOS Patrick Wardle

Apple thanked Wardle and Dantini for their contribution and said that it had since identified the different methods and blocked the certificates.

"Apple's notarization system helps us keep malware off the Mac and allow us to respond quickly when it's discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates," Apple said in a statement.

Join the Discussion