{"id":92237,"date":"2020-08-31T23:06:34","date_gmt":"2020-09-01T06:06:34","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=92237"},"modified":"2024-05-16T12:54:15","modified_gmt":"2024-05-16T19:54:15","slug":"apple-notarizes-dozens-of-mac-malware-samples","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/apple-notarizes-dozens-of-mac-malware-samples\/","title":{"rendered":"Apple notarizes dozens of Mac malware samples"},"content":{"rendered":"

\"\"<\/p>\n

From mid-to-late August, Apple has inadvertently enabled dozens of malware samples to run more easily on Macs.<\/p>\n

The malware samples are related to the OSX\/Bundlore<\/strong> and OSX\/Shlayer<\/strong> families. Intego VirusBarrier customers are protected from these threats.<\/p>\n

Let’s explore what happened, and why it’s important to not rely entirely on Apple’s attempts to protect Mac users from malware.<\/p>\n

What is notarization?<\/h3>\n

In 2019 Apple debuted a software notarization<\/a> process. A developer submits their app to the Apple notary service, and Apple runs automated scans to check for malicious content. If the software appears to be clean and legitimate, Apple will notarize it.<\/p>\n

After Apple notarizes an app, it’s much easier for users to run the app on macOS Mojave, macOS Catalina, and future versions including macOS Big Sur.<\/p>\n

\"Screenshot

Notarized apps, like this malware, are blessed with an Open button when double-clicked for the first time. Image: Wardle<\/a><\/p><\/div>\n

Notably, notarization is not as comprehensive as the App Review<\/a> process that Apple employs before accepting apps into its App Stores. App Review employs both automated and manual human reviews of software to ensure compliance with Apple’s policies.<\/p>\n

Why did Apple notarize malware?<\/h3>\n

Presumably, Apple’s automated notarization process failed to correctly determine that the malware submissions were malicious.<\/p>\n

At least three different Apple Developer IDs were used to code-sign more than 40 unique malware samples associated with this campaign.<\/p>\n

How was the malware distributed?<\/h3>\n

The malware distributors registered the domain homebrew[.]sh, hoping to ensnare victims looking for Homebrew, legitimate Mac software which has its actual homepage at brew.sh. (This is known as a typosquatting attack.)<\/p>\n

Instead of reaching the Homebrew homepage, victims were taken to a page with a fake Adobe Flash Player updater\u2014a Trojan horse that installs adware. Mac users should avoid downloading or installing anything that claims to be Flash Player.<\/p>\n

See also:<\/em><\/p>\n

Adobe Flash Player is dead, yet 10% of Macs are infected with fake Flash malware<\/a><\/p><\/blockquote>\n