Just Because MacOS Lets You Install an App Doesn’t Mean It’s Not Malware.
As long as macOS allows you to install an app, it should be safe, right? This is the essence of Apple’s gatekeeper and notary service, which it launched in macOS Catalina back in February. In theory, this means that any application that you install on your Mac should be ” checked by Apple for malicious components .” But you are wrong in assuming that any application with a green light Gatekeeper is indeed secure.
As a recent article by Patrick Wardle of Objective-See describes , there is a new Mac attack that exploits Gatekeeper transport payloads to spread a particularly popular and problematic malware: OSX.Shlayer.
“On Friday, Twitter user Peter Dantini (@PokeCaptain) noticed that homebrew.sh (not to be confused with the legitimate Homebrew website brew.sh) is running an active adware campaign. If a user accidentally logs into homebrew.sh, after various redirects, it is highly recommended to update “Adobe Flash Player”.
[…] Interestingly, Peter noticed that the campaign was coming from homebrew.sh, the adware payloads were actually fully notarized! ? “
It is unclear how these programs were able to obtain notarization from Apple, but users foolish enough to try to execute them will not raise any warnings about their content. And when launched, they dumped OSX.Shlayer into your system – one of the most popular malware for macOS right now.
How malware works is painfully simple. As this blog post Kaperski describes:
“It’s worth noting that from a technical point of view, there is nothing special about Shlayer. Its main executable is a Bash script with just four lines of code. All he does is decrypt and run another file he brings with him, which in turn downloads, decrypts and executes another file that does the same. After all, this nesting doll of various malicious programs installs several AdWare programs, hides them well and registers them to run at startup. “
If you think you are infected because your Mac is behaving strangely – you get strange pop-ups, search results point to strange sites, or you are prompted to install a number of new and unusual applications that you don’t use. I don’t want to – perhaps you are infected with the good old OSX.Shlayer (or no one knows what else). Grab something like the free version of Malwarebytes , run it, and clean up your system.
And to avoid such nonsense in the future, step up your vigilance to navigate the online world. You should never download anything that has the words “Adobe”, “Flash” and “Player” in it, especially if you are being persuaded to “update” said application. You should also not install any video players or codecs at the request of the website unless you have initiated it yourself. That is, finding and downloading VLC is okay, because you needed a great player and decided to find it. Don’t mindlessly hit accept, download, or anything like that when the website requires it .
Do not install unfamiliar applications. Don’t run unfamiliar files. Do not extract unfamiliar .DMG files. Don’t let unknown programs install as Safari extensions, force you to give them new “accessibility” permissions, or do anything else on your Mac that doesn’t seem like what you normally do. Apple Gatekeeper may take a little delay, but the best gatekeeper that can keep your Mac clean of junk is your brain.