Apple has inadvertently given the thumbs up to six new malware variants, according to researchers at Mac security solutions provider Intego.
Notarization is an approval process through which macOS software is scanned before being delivered to users, to identify possible malicious code before it can do any harm. The process was introduced in macOS 10.15 (Catalina) and results in code that lacks this stamp of trust being automatically blocked.
Application developers have the possibility to submit their software to Apple for scanning purposes and have it automatically notarized if deemed malware-free. Users benefit from this added protection on macOS Mojave, macOS Catalina, and the upcoming macOS Big Sur.
In September, security researchers revealed that malware pertaining to the OSX.Shlayer family was able to trick Apple’s security mechanisms into giving it the necessary approval. Some OSX/Bundlore samples also received notarization.
Now, Intego says that Apple also notarized six variants of the OSX/MacOffers (aka MaxOfferDeal) adware. In early October, the identified disk image (.dmg) files and the first-stage Trojan application had no detection in VirusTotal, although a second-stage malicious payload did trigger 4 of the 60 detection engines in the online file analysis platform.
The malware employs steganography to hide payloads within JPEG image files, and Intego believes this might have helped it bypass Apple’s notarization process.
Cracked software appears to have been used for the distribution of this notarized malware.
By including notarized malware into software that was modified to remove restrictions such as registration requirements, cybercriminals ensure that users won’t be alerted when the malicious code reaches their systems. Furthermore, notarized applications can be opened with a simple double-click.
“Therefore, there’s a significantly higher chance that victims will install Trojan horse malware that has sneaked through Apple’s notarization process undetected,” Intego points out.