Apple Notarized Commonly-Used MacOS Malware

Lily Hay Newman, Wired:

College student Peter Dantini discovered the notarized version of Shlayer while navigating to the homepage of the popular open source Mac development tool Homebrew. Dantini accidentally typed something slightly different than, the correct URL. The page he landed on redirected a number of times to a fake Adobe Flash update page. Curious about what malware he might find, Dantini downloaded it on purpose. To his surprise, macOS popped up its standard warning about programs downloaded from the internet, but didn’t block him from running the program. When Dantini confirmed that it was notarized, he sent the information on to longtime macOS security researcher Patrick Wardle.

“I had been expecting that if someone were to abuse the notarization system it would be something more sophisticated or complex,” says Wardle, principal security researcher at the Mac management firm Jamf. “But in a way I’m not surprised that it was adware that did it first. Adware developers are very innovative and constantly evolving, because they stand to lose a ton of money if they can’t get around new defenses. And notarization is a death knell for a lot of these standard ad campaigns, because even if the users are tricked into clicking and trying to run the software, macOS will block it now.”

The good news is that Apple was able to revoke the app’s notarization the same day this was reported, so any copies in the wild have now been rendered inoperable.

The bad news is that this is evidence that notarization is not as sufficient a prophylactic as I had hoped. It is unclear that notarization offers improvements for disabling malicious software over Apple’s existing mechanisms.

Perhaps it is the case that the notarization process really is restricting the spread of malware and helping ensure the safety of Mac users. But, as this process is entirely opaque and it failed to recognize a common type of malicious software, it seems like an extraneous step.