Shlayer Malware Briefly Allowed by Apple to Run On Mac OS

For the longest time, Mac's appeared impervious to malware threats. However, that myth has been thoroughly busted in recent years. Cybercriminals are always looking for new ways to make money, and sometimes they succeed. Recently, a version of one of the most notorious Mac threats caught the eye of college student Peter Dantini. Mr. Dantini stumbled upon a fully notarized version of Shlayer. He landed on a page by accident, and then he was redirected repeatedly to a fake Adobe Flash update prompt. While Mr. Dantini knew something was off, he purposefully downloaded the update to see what happens. MacOs did display the usual warning for when a user downloads an app from the internet. What was surprising was the fact that it didn't block the program from running. After making sure Shlayer was notarized, Mr. Dantini notified macOS security specialist Patrick Wardle.

Apple revoked Shlayer's notarization on August 28, after Mr. Wardle brought the incident to their attention. Revoking the notarization took care of existing infections as well as any following downloads. However, two days later, Mr. Wardle ascertained that the adware campaign was still going strong. The bad actors had just had Shlayer notarized using another Apple Developer ID.

The Shlayer trojan has been around since early 2018. In that relatively short period of time, it has established itself as one of the most ubiquitous ways to spread adware on macOS devices. Posing as an Adobe Flash player update is nothing new, and the notary system would have prevented Shlayer from running.

Apple started implementing its notary system in February. The purpose of the notarizing process is to prevent the infiltration of malicious apps. If an app lacks notarization, macOS will stop it from running, although there are ways around this. The scope of this process includes applications available outside of the Mac App Store. The Apple notary system is a separate vetting process from the more comprehensive App Review. It's an automated system geared towards quick checking for malicious content and verifying code-signing integrity.