Once the darling of the Internet, Adobe, formerly Macromedia, Flash has long fallen from grace and even banned in many corners of the Web for its security vulnerabilities. That, however, hasn’t really stopped some users from trying to install it, for one reason or another, nor does it stop malware writers from taking advantage of that. Unfortunately for Apple, the latter group was able to pull a fast one and it unknowingly notarized malware disguised as an Adobe Flash installer not once but twice.
Notarization is Apple’s relatively new system for macOS to ensure that even third-party apps downloaded outside of the Mac App Store are secure and safe to run. It practically requires developers to submit their apps for a less strict security review before the macOS Gatekeeper system can allow it to run. Unfortunately, given the less rigorous security check, it seems that it’s possible the get some malware-laden code approved right from under Apple’s nose.
That was the situation that security researchers Peter Dantini and Patrick Wardle brought to Apple’s and the public’s attention. An Adobe Flash installer carrying the popular Shlayer malware was apparently approved by Apple’s notarization process, potentially infecting unwitting Mac users since 2019. Apple did acknowledge the lapse and revoked the app’s certification but, unfortunately, that was not the end of it.
The authors of this malicious Flash installer was able to return to the App Store, again with a malware payload, and, again, notarized by Apple. The app has once again been removed but, considering how these apps are using popular malware strains, it’s surprising it got past Apple twice.
To its credit, Apple was quick to make fixes but only after the matter has been brought to its attention. Lapses like there aren’t exactly uncommon, especially if you look at the Google Play Store, but it does tarnish the reputation of Apple’s new notarization system. Then again, Apple could spin it as proof of why users and developers should only use the Mac App Store anyway.