Apple Mistakenly Approved a Widely Used Malware To Run on Macs

Apple has some of the strictest rules to prevent malicious software from landing in its app store, even if on occasion a bad app slips through the net. But last year Apple took its toughest approach yet by requiring developers to submit their apps for security checks in order to run on millions of Macs unhindered. From a report: The process, which Apple calls "notarization," scans an app for security issues and malicious content. If approved, the Mac's in-built security screening software, Gatekeeper, allows the app to run. Apps that don't pass the security sniff test are denied, and are blocked from running. But security researchers say they have found the first Mac malware inadvertently notarized by Apple. Peter Dantini, working with Patrick Wardle, a well-known Mac security researcher, found a malware campaign disguised as an Adobe Flash installer. These campaigns are common and have been around for years -- even if Flash is rarely used these days -- and most run unnotarized code, which Macs block immediately when opened. But Dantini and Wardle found that one malicious Flash installer had code notarized by Apple and would run on Macs. Wardle confirmed that Apple had approved code used by the popular Shlayer malware, which security firm Kaspersky said is the "most common threat" that Macs faced in 2019.

How long

[ArmoredDragon]

Until Apple begins requiring that all software be notarized before it is allowed to run on a Mac at all?

Just wondering as I think both Apple and Apple's customers like the idea of strict vertical integration and banishment of third party app installations. At least, based on what Apple fans on slashdot have been saying, they don't like the idea of it being possible to install applications that Apple hasn't approved.

Re:

[93 Escort Wagon]

I think that's already been the default for several years. However, the end user can choose to circumvent that by right-clicking the app and selecting "open", then confirming on the subsequent pop-up that they wish to continue (the default is to NOT continue).

I believe it requires admin credentials, though, so it's not possible if you can't run as an admin.

Re:

[ZombieCatInABox]

Typing the following in the command line disables signature checking:

sudo spctl --master-disable

Of course, you need admin privileges for that.

Re:

[phrekysht]

Slots? What on earth would you need slots for? Why upgrade when you can just buy a new one?

Re:

[Joe_Dragon]

audio cards
storage cards
added video cards
other

Audio card? Be courageous!

[raymorris]

An audio card? Ah come-on, be courageous and use higher latency, less reliable Bluetooth.

Re:

[omnichad]

Thunderbolt. If they even give you that.

Re:

[Jerry Rivers]

Oh they'll give you Thunderbolt alright — a whole two ports sharing a single bus, as in the 2020 iMac.

Re: How long

[NoMoreACs]

will the arm mac pro even have pci-e slots?? or will they have apple slots with cards that are only sold at the apple store?

1. We are probably 5 years from that decision. I submit that the Mac Pro will be the last system to convert to Apple Silicon. Partially because of the PCIe slot support requirement.

2. One of the signature uses of Mac Pros is in high-end ProTools installations. Many of these require Avidâ(TM)s custom PCIe HDX audio processing cards. In fact, the 2019 Mac Pro can support more HDX cards (6, IIRC) than any computer. Therefore, It is highly unlikely that Apple would forgo that bragging right, by removing PC

Re: How long

[NoMoreACs]

and distributed with Developer ID

But if you install software without a Developer ID, which is only required when distributing through the Mac App Store, then it is still up to the User whether to allow Installation of non-Notarized Applications.

IIRC, Kernel Extensions have to be written to use Apple's new API to work in 10.15. But again, it is the (Admin) User who ultimately decides whether to allow a Non-Notarized Kernel Extension that conforms to the new (hardened) API standard.

Re: How long

[NoMoreACs]

At least, based on what Apple fans on slashdot have been saying, they don't like the idea of it being possible to install applications that Apple hasn't approved

I think that most Apple users want the status quo: Absolute rules for mobile App installation; but a way to bypass notarization restrictions on software on Macs.

No idea who or what missed this malware incursion; but I hope that one false negative in several years does not cause any official action by Apple regarding Application installation, other than a thorough internal review and possible updating of their Notarization procedure.

Apple has been significantly hardening macOS in the past few years, and this

Re: How long

[Kitkoan]

Who's to truely say that this is a one time event, and not the first one openly mentioned about? Malware has been posted on the iOS store before (XcodeGhost is the first that comes to mind, but not the only. Others have been posted as proof of concept that Apple declared was just not possible). And the whole Epic Fortnite iOS thing going on should have only further showed that Apples screening process is really getting bad and worse. The whole different payment processor should have been caught before it wa

Re: How long

[SleepingEye]

Apple screening process has been garbage from day 1. Software against the ToS like a flashlight app that had an entire tethering sub system hidden inside, several researchers were banned from the store for publishing malware (and getting several thousand downloads)

Re: How long

[StigNasty]

Very much not the case. A lot of people feel that it is ruining it for macs to restrict them similar to iOS. There are mac users jumping ship, despite having to start over on another ecosystem because of this move by Apple to iOSify the desktop experience. That said, Gatekeeper is, at this stage, more of an annoyance than anything. You can still run anything you want, you just have to open system preferences, put in your admin password and click a button that says âopen anywayâ(TM). If they take

Re:

[tomasemmairace]

Unless the software, in and of itself, is virus and malware. Oops https://www.google.com/search?... [google.com] 5000 hits, only on slashdot, probably nothing.

Linux is the worst of them though, I spent 2 entire weeks trying to re-install windows on my old laptop, it ended up wrecking my entire HDD.

(It also kills flash memory drives, both my old and new laptops were non-working all of a sudden, after I made an install disk which ruined the flash memory too, it landing on like 2gb total capacity)

Why don't ALL lin

Re:

[raymorris]

> after I made an install disk which ruined the flash memory too, it landing on like 2gb total capacity

2GB means you formatted it as a DOS / Windows 3.1 drive. Re-format it with a filesystem from the last 10-30 years and you're good.

I'm sorry you don't know how install Windows. Can't really blame Linux for your lack of Windows knowledge, though.

Re:

[tomasemmairace]

I'm blatantly presuming you've never installed windows on a linux machine. It fucks up the boot sector with its own version of it all. I first get one error message, I check the net for hours, I fix the error, up comes another, I buy and download loads of boot fixing programs, none of them work (one for a 100 whopping dollars, and a subscription, to boot; it was the most worthless of them all). Eventually I figure I should just format my HDD; this was the deathknell. While windows would add a boot part to t

And here I thought Apple was

[oldgraybeard]

the Preeminent gatekeeper of user safety.
Guess not so much when it comes to really taking the measures they should.
Wonder if they will catch the Apple employees that got paid to slide the malware in to the app store. It did not happen by accident.

Re:

[Arnold Reinhold]

That this is apparently the first malware that slipped through Apple's approval process, after who knows how many attempts, only emphasizes the value of living inside Apple's walled garden. Note that Apple has the ability to revoke approvals, as the article says "Apple revoked the notarized payloads after Wardle reached out, preventing the malware from running on Macs in the future."

Re:

[R3d M3rcury]

"Apple revoked the notarized payloads after Wardle reached out, preventing the malware from running on Macs in the future."

Apple closed the barn door after the horse got away, which is good of them, I suppose.

Re: And here I thought Apple was

[martynhare]

As opposed to allowing everything an antivirus doesnâ(TM)t detect as being malware, it is undeniable that Apple has done really well here. If malware does run, it is constrained by mandatory access controls which protect important system files and many types of key user files (e.g. Photos) alike - like how SELinux works on Android. It also canâ(TM)t inject keystrokes into other apps or record the screen, webcam or microphone. Windows finally has zero tolerance mode as an option on its built in a

Re: And here I thought Apple was

[SleepingEye]

denied. Even with the 'iron fist' there have been many apps that had secret functionality inside. Many researchers demonstrated command and control (and the only reason they get booted is because the researchers reveal themselves

Re:

[tlhIngan]

That this is apparently the first malware that slipped through Apple's approval process

False, this was not Apple approved.

Apps on Mac can be of three states. Unsigned, Signed, and Mac App Store. Mac App Store has the 30% and Apple approvals and all that.

Signed means you paid for a developer certificate and signed the app, then had the app signed again by Apple (notarized). These apps do not undergo any approval process - basically it's just an automated check against known malware.

Unsigned apps are just tha

Re: And here I thought Apple was

[NoMoreACs]

the Preeminent gatekeeper of user safety.
Guess not so much when it comes to really taking the measures they should.
Wonder if they will catch the Apple employees that got paid to slide the malware in to the app store. It did not happen by accident.

You do realize, of course, that you just accused Appleâ(TM)s Approval Process as being flawed, and then stated that it must have been someone internally with the power to subvert said Process to make this happen?

I think you just called Appleâ(TM)s Approval Process flawless, save for the exceedingly unlikely possibility of a bad actor internal to that Process.

If so, thatâ(TM)s a great sign; because you can offset that possibility easily by a few additional checks and sign-offs, rather than an

Re:

[oldgraybeard]

Your Welcome ;)

Re:And here I thought Apple was

[Anubis IV]

A) The malware wasn't in the Mac App Store. Users had to find and download it themselves.

B) Saying Apple "approved" the malware is a massive overstatement. Apple merely notarized it as coming from the developer who sent it to them to be notarized. Notarization doesn't involve the same sort of onerous approval process that we hear about with the iOS App Store or the Mac App Store for the simple reason that these apps aren't being distributed in those app stores.

C) One of notarization's primary functions is to establish an accountability chain when something goes awry, as it did here. Because it worked, Apple was able to immediately revoke the developer's credentials, preventing this malware (and any other linked to that developer account) from launching on any Internet-connected Mac.

D) As for your suggestion that this was a malicious act on the part of an Apple employee, see: Hanlon's razor.

Before someone else posts it: Windows 10?

[Dirk Becher]

I know. Shame on me.

Its only Finder that cares anyway

[Viol8]

You can run anything you like from the terminal command line. I guess they figured if you can use a unix command line you know (better) what youre doing.

"Mistakenly" Yes, very generous

[fustakrakich]

Let's not upset the, uh... oh shit, Apple Cart(el)

That does it

[nospam007]

Obviously 30% isn't enough to catch all the malware, it's about time to raise it to 35%.

*Automated* approval process was circumvented

[arosenfield]

The notarization process is a purely automated process, there are no humans involved in approving or denying requests for notarization. The fact that some malware was able to evade whatever checks Apple has for maliciousness should not be terribly surprising: think of how much other malware has eluded anti-virus scanners, Google Play's app approval tests, and so on.

Apple will update their notarization servers to detect malware like this, but the cat-and-mouse game will continue, as the malware authors will

This is simply to thin out the herd.

[db]

A good culling isn't a bad thing every now and then.

They did not miss alternative payment channels...

[ffkom]

... or subversive mentions of money Apple rakes in from 3rd-party software sales - so from the view point of Apple, the software check was entirely successful.

If Steve Jobs were alive today, someone would be..

[Proudrooster]

If Steve jobs were alive today, someone at Apple would be getting kicked in the balls for approving anything that has to do with Flash Player.

https://www.cnn.com/2011/11/09... [cnn.com]

If this App would have had Payment links, it surely would have been scrutinized to the level of Fornite and kicked out of the App store and had the developer keys revoked.

Apple is falling apart. The MBAs are taking over and the techies are getting shoved into the basement or the roof of the flying saucer.

Note to MBAs, you can only make money until the customers figure out your product is crap. You are losing your shine and headed for the land of Microsoft.

Re:

[Proudrooster]

What is an LEA?

Re:

[antdude]

Steve Jobs needs to return to Apple again. Oh wait... :(