This morning 9to5Mac reported, MacSync Stealer variant finds a way to bypass Apple malware protections, based on an investigation by Jamf.
Attackers use a Swift app which has been signed and notarized and does not in itself contain any malware. However, the app then retrieves an encoded script from a remote server, which is then executed to install the malware.
I hate to say I told you so but…who am I kidding, I love to say I told you so. In 2019 I wrote a prescient blog post, The true and false security benefits of Mac app notarization, in which I foretold such an attack, suggesting that notarization is security theater.
Apple's notarization service scans for malware, but malware authors don't need to submit malware to Apple! They can submit a perfectly innocent app for notarization, get the app notarized, and then flip a switch on their own server to download a malware software update when the victim opens the "innocent" notarized app. The downloaded malware update doesn't need to be notarized, because the software updater will delete the quarantine attribute, thus bypassing Gatekeeper. It's impossible for Apple to detect this beforehand, because the malware update won't be made available for download until after Apple notarizes the original app.
As I argued in a follow-up post, there are no actual security benefits to Mac app notarization. Many of the Mac malware “protections” that Apple has added over the years are merely punishments for Mac users and honest Mac developers, making their computing life more miserable while leaving gaping holes for malware to sneak through. (See my own Apple Security Credits, as a Mac developer, not a professional security researcher, and those are just issues that Apple fixed, not all of the issues I discovered.) Earlier this month 9to5Mac also reported, Apple security bounties slashed as Mac malware grows, a tacit admission by Apple of this hopeless situation.