Security researchers say they found malware disguised as an Adobe Flash installer and containing code notarized by Apple, which means it could run on Mac.
Introduced in macOS Catalina, Apple’s notarization process scans and approves software from developers before it can be distributed across platforms. All developers who wish to release Mac software must submit an application to Apple. If Apple approves, the software is notarized. If a Mac user tries to open non-notarized software, macOS will block it and notify the user.
Researchers Peter Dantini and Patrick Wardle were able to confirm that Apple approved the code used by the OSX.Shlayer malware, which was said be the most common threat to Macs in 2019.
On Friday, Mr. Dantini noticed that the Homebrew software website was hosting an active ad campaign. If a user visited Homebrew.sh, they would be taken to a page stating that Adobe Flash Player is out of date and a link to download an installer. This malware is usually not notified and therefore cannot be executed, but this installer did not contain notarized code under a Developer ID owned by a Darien Watkins.
Once installed, OSX.Shlayer will permanently install other types of macOS adware. Researchers warned Apple, which quickly revoked the notarization certificates on Friday, August 28. But from Sunday, the ad campaign is underway and is again notarized under a new developer ID (Aimee Shorter).