Apple accidentally notarizes Shlayer malware as part of its security notarization process. The notarized malware payloads were discovered in a recent MacOS adware campaign, disguised as Adobe Flash Player updates. The Apple notary service is an automated system on recent macOS versions that scans software (ranging from macOS apps, kernel extensions, disk images and installer packages) for malicious content and checks for code-signing issues. Then, when a macOS user installs the software, Apple’s Gatekeeper security feature notifies them about whether any malicious code was detected before they open it. A website (homebrew[.]sh) was actively hosting an adware campaign. The website is likely spoofing the legitimate Homebrew site (hosted at brew.sh), a free and open-source software package management system that simplifies the installation of software on macOS. When users visited the website, it redirected several times before telling them that their Adobe Flash Player is out of date and recommending an update (via at least three separate pop ups in the browser).
While the campaign seems like a fairly run-of-the-mill adware attack, what’s different is that Apple’s notarization requirements do not trigger a warning notification telling the user that the developer cannot be verified, and that it is unknown whether the app is free from malware.
The notarized payloads appear to be OSX.Shlayer malware. Shlayer is a top common threat for Macs.
As noted, Apple quickly revoked the Developer code-signing certificate(s) that were used to sign the malicious payloads. This occurred on Friday, Aug. 28th.
Interestingly, as of Sunday (Aug 30th) the adware campaign was still live and serving up new payloads. Unfortunately these new payloads are (still) notarized. So Mac users are still not safe from the Shlayer Trojan.