Is App Notarization broken?

Security researchers have discovered a variant of Shlayer malware — an extremely common macOS threat — that appears to have circumvented Apple’s App Notarization process.

In this short article, we’ll tell you what you need to know about the issue, and how to stay safe.

How apps are checked (in theory)

Ever since macOS Catalina, all third-party apps need to be vetted by Apple through a process called App Notarization. Apps are checked for any code-signing issues and analyzed for indications of malicious components. The process is entirely automated, and most developers report that apps successfully submitted to Apple’s notarization service are usually approved in minutes.

Before an app can run on your system, Gatekeeper will check that it has been properly notarized. If it hasn’t been notarized, the app will be blocked on your system: It will simply fail to run, and you’ll receive a notification telling you that the app couldn’t be checked for malicious content, and that you should contact the developer.

App Notarization is a good idea, in principle: It adds a layer of security to third-party apps, and gives users some measure of reassurance that what they’re about to run on their system is what the developer intended, and has been checked for dangerous code by Apple.

At least, that’s how it’s supposed to work…

What happened in August

At the end of last month, a university student named Peter Dantini accidentally navigated to a malicious website with a very similar URL to the one he was trying to visit. Dantini was soon on the receiving end of a classic Mac malware distribution vector: the fake Adobe Flash Player update. He immediately realized that something was amiss, and downloaded the “update” in order to inspect it further. 

It was then that he noticed that macOS wasn’t attempting to block the app from running on his Mac, indicating that it had somehow bypassed the notarization requirement. The eagle-eyed student forwarded his discovery to veteran malware researcher Patrick Wardle, who was able to perform a more detailed analysis.

What Wardle found was shocking, to say the least: the fraudulent website was distributing versions of Shlayer malware that had been fully notarized by Apple! In other words, the malware had been submitted to Apple’s App Notarization process, but the automated service failed to detect the malicious components that it contained. It was released into the world with Apple’s seal of approval — and thus with the ability to run on recent versions of macOS.

When Apple was informed of the issue, the company immediately yanked the Developer certificates that had been used to sign the malicious code prior to notarization, effectively “un-notarizing” the malware. But as Wardle noted in his write-up, it appears that new versions of the malware (perhaps signed with other Developer certificates) were already being distributed on the offending website, and that these were fully notarized by Apple as well.

What it means and how to stay safe

Clearly there is an issue with App Notarization, and it’s a safe bet that Apple’s security teams are working overtime to figure out what it is (and what to do about it).

First the good news: App Notarization is still effective at stopping bad guys who don’t even bother trying to game the process, and who instead attempt to trick users into executing complex workarounds in order to get unnotarized apps to work.

But unfortunately, the incident calls into question whether or not notarized apps can be considered truly safe, since at the moment no one is sure how this malware was able to make it through the review process in the first place.

Until we know more, all users should take the following precautions:

1. 1

   Never attempt to run apps that aren’t notarized, even if the “developers” send you detailed instructions on how to do it. This is an increasingly common tactic used by bad actors to circumvent the App Notarization requirement and get users to infect their own computers.

2. 2

   Check and double-check the source of any app before you attempt to download it. Only download apps from the official website of the developer (avoid app distribution platforms or third-party download sites for the time being).

3. 3

   Watch for telltale signs of malicious download sites: If you find yourself being redirected from the URL you were attempting to visit to some strange site with pop-ups or an unrelated URL, close your browser and recheck the original web address to make sure you have the right one.

4. 4

   Be vigilant when clicking on links that come in via email, messenger, or SMS. This is one of the most common avenues by which people are directed to malicious download sites. If you’re not sure how to spot bogus links and phishy emails, take this short quiz as a refresher.

5. 5

   Use a reputable malware detection and removal tool on your Mac. A good security app can scan your system for malicious programs, and can help you remove them if you’ve been infected.