Malware usually has a hard time on Apple’s Mac computers. Now the malware Shlayer was able to smuggle its way through the Group’s security measures twice.
Actually, the recently introduced measure should make Mac computers even more secure: Since February, even programs from third-party sources have to be assessed as harmless by Apple. Otherwise the system will refuse to execute it. But the Shlayer pest was able to bypass it – twice. For Apple, the mistake raises unpleasant questions.
The idea of security measures is good in itself. Most malware for MacOS today takes advantage of the naivety of users – and uses tricks to persuade them to start the installation themselves. The secret installation in the background is practically irrelevant on Apple computers these days. In contrast to the iPhone, however, programs on the Mac can not only be installed via Apple’s approved App Store, but also from external sources. To protect against infection from these sources, Apple has required a security guarantee from all developers since the beginning of the year. Otherwise the system can only be persuaded to start the app via long detours. But that’s exactly what Shlayer had now eliminated: Apple had judged the malware to be safe.
The breakdown was discovered by chance by a student, reports “Wired”. He made a mistake while looking for software on the website – and landed on a fake page that tried to subvert a supposed version of Adobe Flash Player. Because he felt safe because of Apple’s security measures, the student downloaded it anyway and was startled when MacOS wanted to allow him to install it. When he forwarded it to security expert Patrick Wardle, it turned out that Apple had classified the malware as safe and issued it with the required certification.
As soon as the bug was reported last week, Apple reacted quickly and the malware was revoked on the same day. This not only blocked the installation, it was also deactivated on all affected systems. But two days later, Wardle was amazed: when he tried again, he was able to reinstall the malware. With a new developer account, the developer had also obtained a new certification and thus switched the program active again. The second account and its authentication are now also blocked.
“Malware is constantly developing. Apple’s authentication system helps us to keep the malware away from the Mac and to be able to react quickly if it is discovered,” the company told Wired. As soon as one was informed, the account was blocked, Apple said. Thank you for the help of the security expert.
The catastrophe did not materialize
Fortunately, the damage is not too great: Shlayer is what is known as “adware”, a relatively harmless malware variant. The malware engages in web searches, cheers users on their own advertisements and thus flushes money into the operator’s coffers. Shlayer is very widespread by Mac standards, and Kaspersky estimates that the program is already on every tenth Mac. However, that was before certification was introduced.
How exactly the program managed to sneak its way through Apple’s exam twice is not entirely clear. In contrast to the app stores for iOS or Mac, the authentication system does not manually check the programs for malicious code. “The certification is not the same as the app review process,” confirmed the group. Instead, they go through automatic checks designed to detect malicious behavior in the app. The aim is to be able to give the developers quick confirmation.
During this test, the harmful behavior of Shlayer does not appear to have been discovered. This could be due to the fact that the program is quite harmless in comparison: unlike aggressive Trojans, which access data or keyboard entries or even take control of the computer, adware only needs superficial access to the system. “Anyone can make a mistake when discovering malware. It is really difficult,” says security expert Wardle, understanding Apple’s position. “I still believe that notarization is a good decision.”
Mistakes are inevitable
He had suspected for a long time that the malware developers would look for a way around Apple’s security measure, said Wardle. There are already programs in circulation that rely on the lack of need of the user and guide them precisely through the steps with which one can circumvent the security measure. Even a more detailed check cannot do anything against such a procedure if one does not want to completely prohibit the installation without certification.
If you want to be on the safe side, there are still other options. As with the iPhone, the App Store preinstalled on every Mac only contains programs that have been manually and extensively checked by Apple. If you don’t want to do without programs from third-party sources, you can also install a virus scanner. They were not fooled by the fraudulent certification – and still hit Shlayer.