Apple defenses bypassed: Shlayered apps accidentally allowed on macOS

Another OSX/Shlayer campaign spotted, and not even Apple's notarization process can stop it

New samples of OSX/Shlayer spotted in the wild: Apple's notarization process bypassed

Apple's approach to security has been known to be among the most strict ones around, as the company takes a variety of measures to prevent malicious software from accessing users' devices. Despite this, Mac malware is growing at the exponential rate: at the begging of 2020, it was uncovered that Mac malware had outpaced threats targeting Windows PCs^[1] – an alarming statistic that could not be ignored by Apple.

In addition to the already existing defenses such as Gatekeeper, the tech giant announced that all the applications not residing in the App Store must overcome the so-called notarization process in order to run on Apple products – by far the most strict rule active since February 2020.^[2]

In order not to be blocked, developers had to upload the application to the notary service – an automated process that flags installer package signing issues, as well as detects malicious components. If this check is bypassed successfully, Gatekeeper will let the apps from third-parties to be run on Macs without any problems. In essence, this step should prevent all the malicious code from being executed on macOS.

Despite all the attempts to prevent malware on Macs, it seems like threat actors manage to be one step ahead, as it turns out that a well known Shlayer Trojan (otherwise known as OSX/Shlayer) has managed to bypass Apple's automated notarization procedure, and apps carrying malicious payloads are now actively being spread in the wild.

Shlayer Trojan developers are not backing down: illegal adware installations are lucrative

OSX/Shlayer is one of the most prolific threats that has been actively infecting users worldwide. Security researchers from Kaspersky discovered in January that the malware is present on 10% of all Macs ^[3]. Despite its primitive nature, it turned out to be widely spread. Upon installation, Shlayer disables particular Gatekeeper functions, installs scareware apps on the compromised machine without permission, intercepts HTTP traffic, and also changes web browser settings to deliver intrusive advertisements.

Malware could be easily stopped by the newly implemented notarization process, and its creators were obviously not happy about that. According to Mac security researchers Patrick Wardle and Peter Dantini, OSX/Shlayer has been actively spreading via the fake Flash Player (update) installers, which managed to bypass the automated process and had code approved by Apple. Wardle said in his blog post that it is the first malicious sample that managed to slip through the notarization without any problems.

Malware samples found on the spoofed brew.sh site as a Fake Adobe Flash installer

The Shlayer campaign was discovered by a college student Peter H. Dantini,^[4] who found it on a “homebrew[.]sh” site – a spoofing site of a “brew.sh,” a popular open-source development tool. Upon entry, users would be lead trough several redirects, landing on an alleged Flash Player update page. The trick is not new, and most experienced users would notice the deception right away – the popup notifies:

“Adobe Flash Player” is out-of-date

The version of this plug-in on your computer doesn't include the latest security updates. Flash cannot be used until you download and update from Adobe.

Update Download Flash

In most cases, such installers would be immediately blocked by Gatekeeper, and users would not even have an option to install the payload, as the only option would be to “Move to Trash.” However, this fake Flash Player. If executed, would install Shlayer and Bundlore adware by abusing shell commands.

The problematic nature of “guaranteed” protection from threats

It is still unknown how Shalyer actors managed to get their malicious payload to be notarized by Apple. While the sample is so far unique, the fact that cybercriminals managed to bypass an automated process that is meant to secure all apps is quite alarming. By promising users that all the apps downloaded from the internet, Apple creates a false sense of security, making users trust all the installers that are allowed on their systems, as Patrick Wardle said:^[5]

Unfortunately a system that promises trust, yet fails to deliver, may ultimately put users at more risk. How so? If Mac users buy into Apple’s claims, they are likely to fully trust any and all notarized software. This is extremely problematic as known malicious software (such as OSX.Shlayer) is already (trivially?) gaining such notarization!

Wardle, who analyzed the malicious campaign, immediately reported findings to Apple, and the certificates for the malicious installers were immediately revoked – the giant acted immediately, the same day that the findings were reported (August 28). Unfortunately, just two days after the certificates were revoked, the researcher noticed that the campaign is still ongoing, and new malicious payloads, notarized by Apple, are being served via the spoofing site. The most alarming issue is that the revoked sample and the one checked a few days later are virtually identical.

It is important to note that users should avoid Flash Player update prompts, as the software is so outdated and flawed that Adobe will discontinue its support by the end of 2020.^[6] Another important lesson to learn from this is that you can never be careful enough when it comes to downloading apps from third parties.