SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Shlayer malware proves Apple devices aren't as secure as you think
Wed, 9th Sep 2020
FYI, this story is more than a year old

Apple's notarisation processes, which are supposed to keep Apple software secure, are failing to live up to the company's supposedly robust security standards, as threat actors abuse notarisation and find ways around it.

Security researchers Patrick Wardle and Peter Dantini exposed the flaws. In a blog post, Wardle says that Apple's notarisation processes are part of the company's aim to keep macOS malware out of its systems. He states developers must submit their software to Apple for notarisation before Apple makes them public.

Notarisation is a way to show that Apple has checked the software for malicious software or malware. MacOS then blocks (by default) any software that has not been notarised.

However, one website, which was a site that masqueraded as a site for Linux software Homebrew, got around the notarisation requirements to install a nasty version of the OSX.Shlayer malware, which was packaged to look like an Adobe Flash Player update. Essentially, the malware had Apple's ‘stamp of approval'.

Wardle says this is the first time he has seen malicious code that has taken advantage of Apple's notarisation process.
It is likely that the malicious software was submitted to Apple, notarised by Apple, and allowed to run on macOS. Because it was notarised, people would also be more likely to trust the software – and in turn, more likely to install it without checking first.

Wardle reported the issue to Apple, who then revoked the software's notarisation status.

“Still, the fact that known malware got notarised in the first place, raises many questions,” Wardle says.

Malwarebytes' director of Mac and mobile, Thomas Reed, says that the code could have contained something that broke Apple's detection software. Or Apple had no way to detect the threat in the first place. He also says that the Shlayer malware has been around for at least a couple of years.

“Apple wants you to believe that their systems are safe from malware. Although they no longer run the infamous Macs don't get viruses ads, Apple never talks about malware publicly, and loves to give the impression that its systems are secure. Unfortunately, the opposite has been proven to be the case with great regularity. Macs and iOS devices like iPhones and iPads, for that matte rare not invulnerable, and their built-in security mechanisms cannot protect users completely from infection.

In summary – just because something is an Apple device, it doesn't mean it's safe.

ESET cybersecurity specialist Jake Moore adds that it's a good reminder that Apple devices are not immune to threats.

“The Mac operating system is targeted less often as there is a higher number of Windows users, which can net more revenue for cybercriminals. However, the fact people don't think they are vulnerable means they may not install protection, such as antivirus, thus leaving themselves open to more risk.

“It is important people understand that Apple devices are as vulnerable as other devices and Apple users must stay just as vigilant to threats when clicking on links and downloading attachments.