Security researchers find Mac malware accidentally notarized by Apple

Security researchers say they’ve found the first Mac malware inadvertently notarized by Apple, reports TechCrunch.

According to Apple, notarization gives users more confidence that the Developer ID-signed software you distribute has been checked by the company for malicious components. The Apple notary service is an automated system that scans software for malicious content, checks for code-signing issues, and returns the results to developers. If there are no issues, the notary service generates a ticket for the developer to staple to the software.

However, Peter Dantini working with Mac security researcher found a malware campaign disguised as an Adobe Flash installer. These campaigns are common and have been around for years — even though Flash is rarely used these days — and most run un-notarized code, which Macs block immediately when opened, notes TechCrunch.

However, Dantini and Wardle found that one malicious Flash installer had code notarized by Apple and would run on Macs. Apple revoked the notarized payloads after Wardle reached out, preventing the malware from running on Macs in the future.

In a statement, a spokesperson for Apple told TechCrunch: “Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allow us to respond quickly when it’s discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe.”

However, Wardle said that the attackers were back soon after with a new, notarized payload, able to circumvent the Mac’s security yet again.