Malicious Apps Repeatedly Bypassed Apple App Notarization

Researchers found repeated successful attempts by criminals to bypass Apple’s app notarization – security check for apps outside Mac App Store. At least six malware-containing apps successfully bypassed app notarization in a recent wave.

App Notarization Bypassed

Reportedly, researchers from Intego, a security firm aimed at Apple products, have found at least two waves of malicious apps that bypass Apple’s app notarization process.

Briefly, Apple launched ‘App Notarization’ earlier this year as an additional check for Mac apps outside the Mac App Store. It’s an automated app scan process (not to be confused with App Review) that notarizes safe apps. Such notarized apps then easily pass through the Apple Gatekeeper check before download.

In this way, users can trust the safety of the app given Apple’s notarization.

However, Intego recently found that multiple malicious apps have bypassed app notarization quite easily.

At first, in late August 2020, they disclosed dozens of notarized apps containing malware related to the OSX/Bundlore and OSX/Shlayer families.

Then, recently, they have shared details about another wave of such malicious notarized apps. This time, the Mac apps contained the malware from the OSX/MacOffers (aka MaxOfferDeal) family.

As explained in their post, they found six different apps that initially had a 0% detection rate on VirusTotal. Even later, the apps had a very low detection rate.

These apps employed steganography that potentially helped the apps bypass notarization.

What To Do?

Apple already revoked the Developer ID used for notarizing the malicious apps.

However, researchers fear that bypassing app notarization may continue to be a problem. It’s because the cybercriminals would likely employ different techniques to evade malware detection.

Perhaps, we already witness such bypass attempts in the case of Android as well, where apps easily bypass Play Protect.

Thus, the onus to remain safe eventually falls to the end-users again, especially while downloading apps from third-party sources.

Let us know your thoughts in the comments.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil