Image: Maria Teneva
Malware authors have managed to pass malicious apps through the Apple app notarization process for the second time this year and the second time in the past six weeks.
App notarization is a recent security protection formally introduced by Apple earlier this year.
It is a process that requires Mac app developers to submit their apps to Apple for a series of automated security scans that check for malware or other malicious code patterns.
Apps that pass through the scans are “notarized,” meaning they are added to a whitelist inside the Apple GateKeeper security service.
Once added to the GateKeeper whitelist, notarized apps can be opened and installed with a simple click, without any warnings or popups.
App notarization has been mandatory for all apps that want to run on Apple’s newest macOS releases, like Catalina and Big Sur.
The notarization process has been warmly received by both app users and developers, as it removed some of the friction of installing apps on macOS.
First wave of notarized malware
However, similar to Bouncer, the automated security system that scans Android apps before they are uploaded on the Google Play Store, Apple’s app notarization process was never expected to be perfect.
The first malicious apps that managed to pass through the notarization process and get whitelisted on newer versions of macOS were discovered at the end of August[1, 2].
In total, 40 apps passed through, apps that were infected with the Shlayer trojan and the BundleCore adware.
Second wave of notarized malware
But in a report published this week, Joshua Long, Chief Security Analyst for Mac security software maker Intego, said his company discovered six new apps that passed through the notarization process.
The six notarized apps posed as Flash installers, Long told ZDNet today. Once installed, the apps would download and install the OSX/MacOffers adware.
“OSX/MacOffers is best know for modifying the search engine in the victim’s browser,” Long told ZDNet.
Long said the six apps have now been de-notarized.
“Apple revoked the developer certificate while the malware was under investigation, before we had a chance to report it to Apple,” Long told us.
“It’s unclear how Apple became aware of it; perhaps they might have gotten a report from another researcher investigating the malware, or perhaps from a Mac user who encountered it in the wild.”
With Adobe set to retire Flash at the end of the year, Long urged users to stop downloading and installing Flash installers.