Last year Apple required all third-party macOS developers to submit software for notarization. The process scans an app for malicious components, and then adds a flag that notes Apple didn’t find anything when a user tries to open it. If your software isn’t notarized, it won’t run macOS Catalina. That all sounds good, but then Apple accidentally notarized malware disguised as a Flash Update program.
Security researcher Patrick Wardle reports that Apple notarized an app that contains malware known as Shlayer. Shlayer works like a trojan and spreads through fake programs to inundate users with adware. In this case, the software looks like a Flash updater but then replaces websites (even from encrypted sources) and ads with its own ads.
According to Wardle, Shlayer is the most prevalent form of malware found on macOS, so it’s somewhat surprising Apple’s scans didn’t spot this. But as Wardle notes, Schlayer’s developers are quite good at delivering the malware in novel ways to bypass Catalina’s security.
Wardle reported his findings to Apple, which in turn revoked the notarization and the developer accounts involved. It didn’t take long for the Shlayer developers to release another payload that once again managed to achieve notarization. Wardle already reported that variant to Apple too and has since been blocked. The cat and mouse game will likely continue for a long time to come.