As long as macOS lets you install an app, it should be safe, right? That’s the point of Apple’s Gatekeeper and notary service, which it began to enforce in macOS Catalina back in February. In theory, it means that any app you install on your Mac should have “been checked by Apple for malicious components.” But you would be wrong in assuming that any app with a Gatekeeper greenlight is actually safe.
As a recent article from Objective-See’s Patrick Wardle describes, there’s a new Mac attack making the rounds that uses Gatekeeper-passing payloads to distribute a particularly popular and problematic piece of malware: OSX.Shlayer.
“On Friday, twitter user Peter Dantini (@PokeCaptain) noticed that the website homebrew.sh (not to be confused with the legitimate Homebrew website brew.sh), was hosting an active adware campaign. If a user inadvertently visited homebrew.sh, after various redirects an update for ‘Adobe Flash Player’ would be aggressively recommended.
[…] Interestingly, Peter noticed the campaign originating from homebrew.sh, leveraged adware payloads were actually fully notarized! ????”
It’s unclear how these programs were able to receive notarization from Apple, but users foolish enough to attempt to execute them wouldn’t trigger any kind of warning about their contents. And, when run, they would dump OSX.Shlayer onto your system — one of the most popular pieces of malware for macOS right now.
As for how the malware works, it’s painfully simple. As this Kapersky blog post describes:
“It is worth noting that from the technical point of view, Shlayer is nothing special. Its main executable file is a Bash script that consists of only four lines of code. All that it does is decrypt and run another file that it brings along with it, which in turn downloads, decrypts, and executes another file, which does exactly the same. In the end, this nesting doll of various malware installs several AdWare programs, hides them well and registers them to run at startup.”
If you think you’re infected because your Mac is acting strangely — you’re getting weird pop-ups, your search results are pointing to bizarre sites, or you’re being prompted to install a number of new and odd apps that you don’t want — it’s possible that you’re infected with good ol’ OSX.Shlayer (or who knows what else). Grab something like the free version of Malwarebytes, run it, and clean up your system.
And to avoid bullshit like this in the future, reenergize your vigilance for navigating the online world. You should never, ever download anything that has the words “Adobe” “Flash” and “Player” in it, especially if you’re being cajoled to “update” said app. You shouldn’t also install any video players or codecs when prompted by a website unless you initiated it. As in, it’s OK to go find and download VLC because you needed a great player and went out to find one. It’s not OK to mindlessly click “accept,” “download,” or anything like that when a website wants you to.
Don’t install apps you don’t recognise. Don’t execute files you don’t recognise. Don’t extract .DMG files you don’t recognise. Don’t let unknown programs install themselves as Safari extensions, sucker you into giving them new “accessibility” permissions, or do anything else on your Mac that doesn’t feel like something you usually do. Apple’s Gatekeeper could use a little tightening, but the best gatekeeper that can keep crap off your Mac is your brain.