Malware developers of Mac Shlayer applications have been able to access payloads on Apple.
From February 2020, all Mac software distributed outside the Mac App Store must be signed by Apple to run on MacOS Catalina or later.
The signing process requires developers to submit the software they created for the macOS platform for scanning through its service Apple, an automated system designed to scan software for both malware and code signing issues.
If they pass this automated security check, applications will be accepted by macOS Gatekeeper, a macOS security feature that checks if downloaded applications have been checked for malicious content in order to run them on the system.
According to Apple, if there is ever a problem with an application, the company immediately stops the new installation and in addition is able to prevent the application from starting.
The signing process Apple failed <
Although the company says that the software signed for macOS is designed to give users more security, as discovered by Peter Dantini last week, the Apple was deceived by malware Shlayer.
He found that adware Shlayer is distributed through a fake and malicious page and could run on any Mac device running macOS Catalina without being automatically blocked.
This is the reason why adware managed to load the payload on its victims.
So I accidentally found a thing https://t.co/WVL86rYzrm
- Peter H. Dantini (@PokeCaptain) August 31
After Wardle reported the malware samples to Apple, the company reacted immediately and revoked the certificates (meaning they will be stopped automatically by Gatekeeper) on the same day, August 28th.
Although some Mac users believe that malware only targets Windows and that Mac devices are secure, Shlayer attacks 10% of all Mac devices, according to a January 2020 Kaspersky report.
Shlayer was first spotted by the Intego research team, and was distributed in February 2018, disguised as a fake Adobe Flash Player installer like many other malware campaigns targeting the macOS platform.