Since the launch of macOS Catalina last year, Apple has tightened the processes governing which applications are allowed to open on a Mac, in order to improve the security of the operating system.
Now, however, Techcrunch reports that Apple has accidentally approved Mac software that contains Shlayer, malware that replaces web pages and search results with its own adverts.
And there’s an extra embarrassing detail: the malicious code was hidden in a file disguised as an installer for Adobe Flash, a technology Apple has been opposed to since the launch of the iPhone 13 years ago and which is about to be phased out completely.
Apple’s newly introduced ‘notarisation’ process is mandatory for all app developers. Before publishing an app, the developer must have it checked for malware by Apple via a web service. If the software passes the test, it receives a small file that identifies it as tested and harmless. A user can then install it immediately without any warning messages from the gatekeeper.
As the security researcher Patrick Wardle reports, this system has obviously been outwitted. On a website called homebrew.sh, visitors were asked to install an Adobe Flash Player, which actually installs adware – a widespread malware attack of the OSX.Shlayer type. Instead of the Flash player, the malware installs a Safari extension that displays targeted advertisements.
Wardle let Apple know about the issue, and the company responded quickly by invalidating the developer’s ID. From this point on the malware was rendered harmless: the user would see a malware warning when opening the faulty installer.
As Wardle learned shortly after his article was published, however, the malware reappeared shortly afterwards, with a new signature from another developer and a newly assigned notarisation. Apparently, the authors immediately re-notarised the malware – and Apple waved the adware through again. As Apple noted when asked by Tech Crunch, this adware was also immediately invalidated.
There have been other concerns about app notarisation. One security researcher has claimed that unencrypted logs are sent to Apple’s servers during notarisation, and that these logs contain identifying data, although another researcher promptly disputed some elements of this analysis. The company responded to the claim by offering reassurances that users’ Apple ID and device identity will never be transmitted, and to tighten up some aspects of the notarisation process.
For general advice on keeping your machine safe from malware and other dangers, read our Mac security tips.
Adobe will end support for Adobe Flash on 31 December 2020, which should mean fewer cases of malware being disguised as the Flash Player.
This article originally appeared on Macworld Sweden. Translation by David Price.