Threat Watch

Apple Accidentally Approves, Later Revokes Shlayer Malware

Apple has required all developers to submit their Mac OS applications to its “notary” service to be checked for any malicious code or code signing issues, even for applications that will be distributed outside of the App Store. If the app passes the automated checks, it will be approved to run, and users will not see a warning when attempting to open the application. Peter Dantini recently discovered the Shlayer malware posing as an Adobe Flash update that was able to pass Apple’s automated process.

According to the blog post by Patrick Wardle, a website mimicking the official brew.sh site was hosting an adware campaign. Visitors would be redirected and asked to install a Flash update, which normally would have warned the user that the app was not notarized upon opening the installer file. Unfortunately, because Shlayer managed to pass Apple’s notary process, unsuspecting victims would not see this warning prompt. Thankfully, Patrick quickly reported the malware for having gained Apple’s trust and the certificate used to sign the malware was revoked.

ANALYST NOTES

Although Apple attempts to maintain tight control over their ecosystem, mistakes can always happen. Always be cautious of software installed from unofficial sources. Sometimes, as in the case of Homebrew, other sources can gain the community’s trust. Homebrew is a popular third-party package manager for Mac OS systems, allowing users to install software not found in the App Store or that would otherwise take some manual effort. This campaign targeted users of the popular package manager through the similar domain homebrew[.]sh. Being able to use the software’s name without typos could fool a lot of people who may not realize that the official site is brew.sh.

Source: https://twitter.com/PokeCaptain/status/1300440938301607939

https://objective-see.com/blog/blog_0x4E.html