Apple-Notarized Malware: What It Is and How It Affects Mac Users | Tripwire

Apple-Notarized Malware: What It Is and How It Affects Mac Users

Posted on November 22, 2020
Apple-Notarized Malware: What It Is and How It Affects Mac Users
Malicious actors are targeting Apple. Although Apple introduced a notarization mechanism to scan and prevent malicious code from running on Apple devices, attackers have found ways to circumvent this process. Such Apple-notarized malware constitutes a threat to macOS users. Let us start by exploring what Apple notarization is. We will then discuss some recent examples of Apple-notarized malware and some prevention techniques.

What is Apple Notarization?

To inhibit the installation of malware through its App Store and from running on Apple-developed devices, Apple uses a range of technologies. These include the following:
  • App Review: Apple industry has its own set of standards and guidelines. Every application that wants to be published on the App Store needs to follow these rules in order to earn a place on the app marketplace.
  • Certificate Signing Request (CSR): This feature ensures the authenticity of an app to users and indicates that it has not been modified after code signing. The macOS Gatekeeper validates the app signing certificate and runs a security check of the application. It also uses a known malware list to scan the app. If there is an issue with the code signing certificate or if Gatekeeper detects malware, then Apple blocks the software.
  • Notarization: Apple notarization is an automatic investigatory process that checks for issues in the certificate and looks for any suspicious code running on the app. If the software clears this exam after complete verification, it receives a successful notarization ticket. This tells Gatekeeper that the package is Apple notarized, which means it is secure enough to run.
All new apps must go through these security checks before being offered to users for download via the App Store. This ensures that the software is coming from an authenticated entity and that it does not contain any malware.

What do you mean by Apple-notarized malware?

The Apple notarization mechanism was introduced to increase device security by detecting and blocking malicious apps from being downloaded on a macOS system. However, malicious actors have begun using special commands to bypass this security method. A Twitter user discovered the first publicly known instance of Apple-notarized malware. He noticed a pattern where someone wanted to visit Homebrew’s legitimate website (brew.sh) and mistakenly wrote the wrong URL (homebrew.sh) in the search bar. After successive redirects, they landed on a new website and was prompted to update their Adobe Flash Player on the pretext that it had expired. The disguised software ran on the macOS system, which means that Apple had scanned the code. Apple was not able to find any malware, so it had notarized it accidentally. Patrick Wardle, a security researcher, examined the software and confirmed that this was not new adware but a notarized version of OSX.Shlayer malware. This notarized malware can be detected by various third-party antivirus software. Apple’s security teams analyzed the notarized malware to understand how the attackers might have modified their adware to go undetected. They observed that the Apple notarization method might have detected Shlayer but failed to act on the detection to block the software. Alternatively, they proposed that the Apple notarization process wasn’t then capable of identifying OSX.Shlayer and that the malware might have been hiding on our machines since its introduction into the wild.

Ways to Defend Yourself Against Apple Malware Like OSX.Shlayer

Malicious actors keep finding ways to prey upon Apple users. Simultaneously, the Apple notarization mechanism has not been able to completely block all malware from running on macOS devices.  Users should therefore protect themselves and their organizations against malware like OSX.Shlayer by following and implementing best security practices. These include the following guidelines:
  • Train your employees: The first step in protecting yourself and your company from digital threats is to train your employees. You should aim to keep your workers fully informed about all known risk For instance, your employees should be aware of social engineering techniques that use fake Adobe Flash Player updates.
  • Pay mind to EDR: You and all your workforces should use Endpoint Detection and Response (EDR) techniques to look for malware. These protection schemes will assist you in quickly detecting endpoint threats. This will help you block Apple malware.
  • Install an anti-virus software: You should protect your devices with an up-to-date anti-malware solution.
  • Download new apps only through approved channels: Mac users should download all the applications they need from the App Store. If the required software is not available on the App Store, then they should visit the official website of the app developer instead of downloading it through a third-party site.
  • Check for software reputation: When downloading software from a website, spend a few minutes to look through the reputation of the developer and the application. This will assist you in determining whether to download this app.
  • Be cautious around links: As many websites can redirect you to websites containing adware, exercise caution around links that ask you to update or install software. Always go to the official website of the developer to install any updates or download a new app.
  • Update software regularly: Older systems and software can easily be attacked by attackers, as they lack new security updates. Thus, attackers can easily exploit their vulnerabilities to take control of the organization’s In response, you need to keep all your applications up to date. Apple regularly issues security patches for the most recent and the previous two editions of its macOS operating systems. The patches come with up-to-date security systems for preventing known threats.
  • Have a good backup plan: The Shlayer Trojan can perform different tasks according to its design. From stealing sensitive information like account names, passwords, banking details, etc. to hacking your overall system, it can do it all. If malicious actors succeed in taking control of your system, then they could ask for a ransom payment in exchange for your data. In such cases, having a backup can save your organization time and money. You should keep a copy of all your data at a particular place to protect yourself if such an attack happens to you.

Conclusion

All organizations in the world remain under the radar of cybercriminals. Apple’s notarization technique has saved macOS users from many scams. Even so, some malware can bypass the notarization process, too. That’s why it’s up to ordinary users to implement additional security practices for staying safe.
About the Author: Jason Parms is a customer service manager at SSL2BUY. He is responsible for administering the customer service division and ensuring the organization provides the maximum level of customer service. He has achieved his target very quickly through diversified SSL security products and incomparable support. Nowadays, SSL2BUY secures thousand of websites and have lots of smiles of happy customers. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!