Apple has required all developers to submit their Mac OS applications to its “notary” service to be checked for any malicious code or code signing issues, even for applications that will be distributed outside of the App Store. If the app passes the automated checks, it will be approved to run, and users will not see a warning when attempting to open the application. Peter Dantini recently discovered the Shlayer malware posing as an Adobe Flash update that was able to pass Apple’s automated process.
According to the blog post by Patrick Wardle, a website mimicking the official brew.sh site was hosting an adware campaign. Visitors would be redirected and asked to install a Flash update, which normally would have warned the user that the app was not notarized upon opening the installer file. Unfortunately, because Shlayer managed to pass Apple’s notary process, unsuspecting victims would not see this warning prompt. Thankfully, Patrick quickly reported the malware for having gained Apple’s trust and the certificate used to sign the malware was revoked.