Last year, Apple required all third-party macOS developers to submit notification software. The process scans an app for malicious components and then adds a flag noting that Apple did not find anything when a user tries to open it. If your software is not registered, it will not run macOS Catalina. Everything sounds good, but then Apple accidentally noticed malicious malware disguised as a Flash Update program.
Security researcher Patrick Wardle reports that Apple announced an app that contains malicious code called Shlayer. Shlayer acts as a Trojan and is spread through fake programs to flood users with adware. In this case, the software looks like a Flash updater but then replaces websites (even from encrypted sources) and ads with their own ads.
According to Wardle, Shlayer is the most common form of malware found on macOS, so it̵7;s surprising that Apple’s scans did not detect this. But as Wardle notes, Schlay’s developers are pretty good at delivering malware in new ways to circumvent Catalina’s security.
Wardle reported its results to Apple, which in turn revoked the notification and the developer accounts involved. It did not take long for the Shlayer developers to release another payload that once again managed to achieve listing. Wardle already reported that variant to Apple as well and has since been blocked. Cat and mouse games are likely to continue for a long time to come.