Its creators Mac malware Shlayer managed to pass their malicious payloads through Apple's secure secure authentication process.
The authentication process requires developers to scan the software they create (for the macOS platform) through Apple Certification. THE service is an automated system designed for scan the submitted software for both malicious data as well as for code-signing problems.
If they pass this automated security check, macOS Gatekeeper allows applications to run on the system. MacOS Gatekeeper is a macOS security feature checks if the received applications have been checked for known malicious content.
Apple describes this process as follows:if there is ever a problem with an application, Apple can quickly stop new installations and prevent the application from starting".
Apple's secure certification process has failed
Although Apple says its certification software is designed to give them users more confident about controlling malicious content, Peter Dantini found that Apple cheated and allowed Shlayer malware to run.
Dantini discovered that Shlayer adware installers are distributed through a fake and malicious Homebrew website and could run on any Mac running macOS Catalina, as long as they are not blocked by the secure authentication process.
This allowed the attackers behind the adware campaign to hand over their payload to systems where installers should have been blocked.
The security researcher Patrick Wardle confirmed that these installers were actually delivering samples of Shlayer adware that had bypassed Apple's certification process, which means that they can to contaminate users using the latest version of the company MacOS 11.0 Big Sur.
Since the samples have the Apple approval, users trust them without controlling, allowing them developers of malware to spread payloads to an even larger number of systems, installing a more powerful variant of adware on infected Macs.
Wardle alerted Apple and the company acted immediately and revoked the certifications (meaning they will be automatically excluded from Gatekeeper) on 28 August.
However, over the weekend, the researcher found that the Shlayer campaign was still active.
"Both the old and the "new" payload (s) appear to be almost identical and contain the OSX.Shlayer combined with Bundlore adwareSaid Wardle.
"Clearly, in the endless cat-and-mouse game between the attackers and Apple, the attackers are currently winning", He added.
Shlayer macOS malware
According to a Kaspersky report, many Mac users believe that malware only targets them Windows, but Shlayer has attacked over 10% of all Macs.
Last year, a variant of the Shlayer malware was observed by Carbon Black's Threat Analysis Unit, deactivated the Gatekeeper protection mechanism to execute payloads without going through the secure certification process.
Shlayer was first spotted by her research team Intego, as part of a malware campaign in February 2018. At that time, the malware appeared as Adobe Flash Player installer.
And newer versions of malware are distributed as malware Adobe Flash software update installers but, unlike the originals promoted via torrent sites, Shlayer is now spreading through pop-ups for updates appearing to potential victims.
After it infects a Mac computer, Shlayer installs it mitmdump proxy software and reliable certificate, so that it can analyze and modify HTTPS traffic, allowing the insertion of ad pages, the monitoring of victims' browser traffic and the introduction of malicious scripts to the sites visited by users.
At the moment, Shlayer developers only develop adware as a secondary payload, but can install more dangerous malware samples at any time, such as ransomware or wipers.