Sep 01, 2020 11:00:00

It turned out that Apple had inadvertently approved the Trojan application

There has been reported Trojan horse malware that pretended to be an update to run Adobe Flash Player on macOS. This malware has cleared Apple's

notarization process and was signed with 'Apple certified'.

Apple Approved Malware-Objective-See's Blog
https://objective-see.com/blog/blog_0x4E.html

Apple accidentally approved malware disguised as Flash, new report finds-The Verge
https://www.theverge.com/2020/8/31/21408991/apple-approves-common-malware-shlayer-macos-adware

According to security researcher Patrick Wardle, Apple has approved an app that contains code for a well-known malware called 'Shlayer.' Shlayer is a Trojan horse malware that spreads through fake apps and injects adware to attack users. Security company Kaspersky names Shlayer as 'the most common threat for macOS.'

In December 2019, Apple announced the introduction of Apple's notarization process for all software for macOS. Introduced from macOS 10.15 Catalina, this notarization process extends beyond the App Store and requires all software to be reviewed by Apple and signed by the developer. If you try to launch uncertified software, the OS will lock it.

On August 28, 2020, college student

Peter Dantini discovered that a website hosted an active adware campaign. When I accessed this page from my Mac, I was advised to update Adobe Flash Player after several redirects.

Of course, even if you follow the popup, it is not the real Adobe Flash Player that will be installed, but malware that is completely unrelated. Originally, this malware was supposed to be blocked on the macOS side, but it was found that it was not blocked because it was approved by Apple's notarization system. According to Woldle, the fact that the malicious code was approved by the notarization system meant that it had been submitted to Apple once before it was distributed and did not go undetected.

When Woldle reported the analysis to Apple, Apple immediately revoked the app's authorization. Therefore, by August 28th, this malware is no longer able to run on macOS.

However, on August 30, 2020, another malware of almost the same type was discovered and proved to be notarized. Looking at the timestamp of the signature of the newly discovered malware, it was shown that it was approved by Apple on the afternoon of August 28, 2020. According to

TechCrunch , an IT news site, this malware was immediately revoked by Apple.

'It's worth noting that the attacker can continue to attack swiftly. The attackers and Apple are playing cat-and-mouse, and the attackers are still winning,' he said.