For decades, Mac users had to worry less about malware than their Windows-using counterparts, but over the last few years that's begun to change. In an attempt to crack down on growing threats like adware and ransomware, in February Apple began "notarizing" all macOS applications, a vetting process designed to weed out illegitimate or malicious apps. Even software distributed outside of the Mac App Store now needs notarization, or users wouldn't be able to run them without special workarounds. Seven months later, though, researchers have found an active adware campaign attacking Mac users with the same old payloads—and the malware has been fully notarized by Apple.
The campaign is distributing the ubiquitous "Shlayer" adware, which by some counts has affected as many as one in 10 macOS devices in recent years. The malware exhibits standard adware behavior, like injecting ads into search results. It's not clear how Shlayer slipped past Apple's automated scans and checks to get notarized, especially given that it's virtually identical to past versions. But it's the first known example of malware being notarized for macOS.
College student Peter Dantini discovered the notarized version of Shlayer while navigating to the homepage of the popular open source Mac development tool Homebrew. Dantini accidentally typed something slightly different than brew.sh, the correct URL. The page he landed on redirected a number of times to a fake Adobe Flash update page. Curious about what malware he might find, Dantini downloaded it on purpose. To his surprise, macOS popped up its standard warning about programs downloaded from the internet, but didn't block him from running the program. When Dantini confirmed that it was notarized, he sent the information on to longtime macOS security researcher Patrick Wardle.
"I had been expecting that if someone were to abuse the notarization system it would be something more sophisticated or complex," says Wardle, principal security researcher at the Mac management firm Jamf. "But in a way I’m not surprised that it was adware that did it first. Adware developers are very innovative and constantly evolving, because they stand to lose a ton of money if they can't get around new defenses. And notarization is a death knell for a lot of these standard ad campaigns, because even if the users are tricked into clicking and trying to run the software, macOS will block it now."
Wardle notified Apple about the rogue software on August 28 and the company revoked the Shlayer notarization certificates that same day, neutering the malware anywhere that it was installed and for future downloads. On August 30, though, Wardle noticed that the adware campaign was still active and distributing the same Shlayer downloads. They had simply been notarized using a different Apple Developer ID, just a few hours after the company began working on revoking the original certificates. On August 30, Wardle notified Apple about these new versions.
"Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allow us to respond quickly when it’s discovered," the company said in a statement. "Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe."
Apple also makes a distinction in its notarization materials between its more thorough iOS "App Review" and this check for macOS applications.
"Notarization is not App Review," the company wrote. "The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly."
Before Apple introduced notarization, malware developers simply needed to pay $99 a year for an Apple Developer ID so they could sign their software as legitimate. Any application not downloaded from the Mac App Store would trigger a warning when users tried to run it about making sure programs downloaded from the internet were safe to use, but users could easily click through them. Notarization makes it much more difficult to deploy malware—or at least that's the idea. Wardle says that in his experience submitting his own security tools for review, Apple's initial, automated check only takes a few minutes to issue an approval. Still, bad actors are clearly slipping through.
"I've been quite certain that malicious apps would slip through the notarization process, so this doesn't surprise me," says Thomas Reed, director of Mac and mobile platforms at the security firm Malwarebytes. "I'd actually been considering writing an app that would exhibit classic malicious behaviors and trying to get it notarized. Unfortunately, this saves me the trouble. This is the proof I've been waiting for that notarization is not effective."
Reed also notes that he's started seeing Mac malware like adware evolve to get around notarization. One method is to distribute software that is completely unsigned and unapproved by Apple and trick users into installing it by telling them to expect warnings from Apple and then guiding them through the workaround processes.
As with any trust-based system, notarization can help Apple keep security pretty tight, but anything that does sneak past can then spread quickly because it has the company's imprimatur. This is already a problem in both Apple's iOS App Store and Google's Play Store for vetted Android apps. Malicious apps often slip in and then get downloaded by unsuspecting users.
Malware scanners would have still detected the notarized Shlayer installations as malicious, but anyone not running antivirus would be out of luck.
"Anybody’s going to make mistakes detecting malicious software, because it's difficult to do. Overall from a security perspective, I still think notarization is a good step," Wardle says. "But the average user is going to trust Apple—I do, too! So if something says it's notarized, even a security-conscious user is more likely to trust that it's OK."
- 📩 Want the latest on tech, science, and more? Sign up for our newsletters!
- The furious hunt for the MAGA bomber
- How to ditch those phone apps you never use—or wanted
- She helped wreck the news business. Here’s her plan to fix it
- This cobalt-free battery is good for the planet—and it actually works
- Is your chart a detective story? Or a police report?
- ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers
