Thursday, January 21, 17:09
Home security Hackers trick Apple into approving Shlayer malware apps

Hackers trick Apple into approving Shlayer malware apps

Its creators Mac malware Shlayer managed to pass their malicious payloads through Apple's secure secure authentication process.


From February 2020, all Poppy software distributed outside the Mac App Store must go through the Apple certification process to be able to run the MacOS version of MacOS and later.

The authentication process requires developers to scan the software they create (for the macOS platform) through Apple Certification. THE service is an automated system designed for scan the submitted software for both malicious data as well as for code-signing problems.

If they pass this automated security check, macOS Gatekeeper allows applications to run on the system. MacOS Gatekeeper is a macOS security feature checks if the received applications have been checked for known malicious content.

Apple describes this process as follows:if there is ever a problem with an application, Apple can quickly stop new installations and prevent the application from starting".

Apple's secure certification process has failed

Although Apple says its certification software is designed to give them users more confident about controlling malicious content, Peter Dantini found that Apple cheated and allowed Shlayer malware to run.

Dantini discovered that Shlayer adware installers are distributed through a fake and malicious Homebrew website and could run on any Mac running macOS Catalina, as long as they are not blocked by the secure authentication process.

This allowed the attackers behind the adware campaign to hand over their payload to systems where installers should have been blocked.

The security researcher Patrick Wardle confirmed that these installers were actually delivering samples of Shlayer adware that had bypassed Apple's certification process, which means that they can to contaminate users using the latest version of the company MacOS 11.0 Big Sur.

Since the samples have the Apple approval, users trust them without controlling, allowing them developers of malware to spread payloads to an even larger number of systems, installing a more powerful variant of adware on infected Macs.

Wardle alerted Apple and the company acted immediately and revoked the certifications (meaning they will be automatically excluded from Gatekeeper) on 28 August.

Shlayer malware

However, over the weekend, the researcher found that the Shlayer campaign was still active.

"Both the old and the "new" payload (s) appear to be almost identical and contain the OSX.Shlayer combined with Bundlore adwareSaid Wardle.

"Clearly, in the endless cat-and-mouse game between the attackers and Apple, the attackers are currently winning", He added.

Shlayer macOS malware

According to a Kaspersky report, many Mac users believe that malware only targets them Windows, but Shlayer has attacked over 10% of all Macs.

Last year, a variant of the Shlayer malware was observed by Carbon Black's Threat Analysis Unit, deactivated the Gatekeeper protection mechanism to execute payloads without going through the secure certification process.

Shlayer was first spotted by her research team Intego, as part of a malware campaign in February 2018. At that time, the malware appeared as Adobe Flash Player installer.

And newer versions of malware are distributed as malware Adobe Flash software update installers but, unlike the originals promoted via torrent sites, Shlayer is now spreading through pop-ups for updates appearing to potential victims.

After it infects a Mac computer, Shlayer installs it mitmdump proxy software and reliable certificate, so that it can analyze and modify HTTPS traffic, allowing the insertion of ad pages, the monitoring of victims' browser traffic and the introduction of malicious scripts to the sites visited by users.

Additionally, malware can analyze and modify all traffic, even the encrypted, such as online banking transactions and secure e-mail.

At the moment, Shlayer developers only develop adware as a secondary payload, but can install more dangerous malware samples at any time, such as ransomware or wipers.


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortress
Pursue Your Dreams & Live!


What are the rumors circulating about the iPhone 13?

Apple iPhone 13 will have a redesigned Face ID system that will have a smaller notch at the top of the screen, ...

Biden: How was the political transition in the US captured on social media?

As Joe Biden was sworn in as President of the United States, this important political transition was captured on popular social media. On January 20, ...

CentOS ceases to be supported but RHEL is offered for free

Last month, Red Hat caused a great deal of concern in the Linux world when it announced the discontinuation of CentOS Linux.

Microsoft Office 365 employee passwords leaked online!

A new large-scale phishing campaign targeting global organizations has been found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and ...

COSMOTE and Microsoft provide new cloud solutions for businesses

COSMOTE and Microsoft expand their cooperation, offering even more advanced and high quality cloud solutions, in large and small ...

Cyber ​​attacks in Eastern Europe are on the rise!

The cyber-attacks that have taken place in many US government agencies and companies in recent months have caused concern in the developing countries of ...

Tesla reduces the prices of the Model 3 in Europe

Tesla has reduced the prices of the Model 3 in many European markets, which reductions could be partly linked ...

iOS, Android, XBox users in the crosshairs of a new malvertising campaign

Recently a new malvertising campaign was discovered that targets users of mobile and other connected devices and uses effective ...

Microsoft: "Zero trust" protects against sophisticated hacking attacks

According to Microsoft, the techniques used by the hackers of SolarWinds, were sophisticated but common and preventable. To avoid future attacks ...

US: Twitter locks Chinese embassy account due to "dehumanization"

Twitter said it locked the account of the Chinese embassy in the United States for a tweet about its women ...