Apple already fixed the malware disguised as an Adobe Flash player update. The fix came following earlier reports highlighting how the Cupertino-based tech giant accidentally approved one of the most common threats to run on macOS. The malware gets past its most stringent security screening software and is allowed to Mac desktops.
Security Researcher Patrick Wardle said that Apple approved an app with code used by a popular malware dubbed as Shlayer. The said malware is a trojan downloader that proliferates through fake apps and software. It obstinately bombarded users with a stream of adware and was considered by Kaspersky as the most common threat to Macs.
The security researcher revealed that this is the first time Apple accidentally notarized malware after its new notarization process. Last year, the company announced the new notarizing macOS process, which requires every app to be signed by the developer and reviewed by Apple before it could run on macOS. This includes apps distributed outside of the Mac App Store.
Following his discovery of the said malware, Wardle reported it to Apple. The tech giant immediately disabled the developer account linked with the app and revoked its certification. According to an Apple spokesperson, malicious software changes constantly. The new Apple notarization system aids the company in keeping the malware off the Mac.
The spokesperson told Techcrunch that the Apple notarization enables the company to respond quickly when a malware is discovered. Apple assured consumers that it revoked the identified variant, revoked the associated certificates and disabled the developer account when it learned about the adware. But, it looks like the game of cat and mouse is not yet over.
In his blog, Patrick Wardle revealed that it is not yet over. He shared that while Apple already revoked the Developer code-signing certificate on August 28, the adware campaign was still serving up payloads as of August 30. He further revealed that these new payloads are still notarized.
Wardle explained that both the old and the new payloads seem to be almost identical and contain OSX. Shlayer packaged with the Bundle adware. Hackers' ability to continue their attack is noteworthy, according to the security researcher. While it is clearly a cat and mouse game, at present, the attackers are winning, Wardle noted.
On August 31, Apple assured Techcrunch that both the old and new malware already had their notarization revoked. Lapses like this one are not uncommon, but to Apple's credit, it immediately acted and made fixes to resolve the issue.
