Apple’s XProtect is completely failing to detect the latest AdLoad campaign. The claim comes from SentinelLabs, who goes on to say: “Some of these samples have been known to have also been blessed by Apple’s notarization service.” The Apple notary service is supposed to protect Mac users from malicious and harmful apps, but here it is saying some AdLoad samples are safe and trusted. It is a major fail for Apple who has not responded to emails asking about this issue.
In a blog post, Phil Stokes, Author, SentinelLabs, said: “In late 2019, SentinelLabs described how AdLoad was continuing to adapt and evade detection, and this year we have seen another iteration that continues to impact Mac users who rely solely on Apple’s built-in security control XProtect for malware detection.”
This reliance on just XProtect is common among Mac users. The belief that Mac’s are not subjected to the same virus problems as Windows continues to persist. It means that many are leaving themselves open to attacks rather than add anti-virus protection to their computers.
What is AdLoad?
Stokes describes AdLoad as: “an aggressive adware infection that installs a Man-in-The-Middle web proxy to redirect user’s web traffic through the attacker’s own preferred servers. The aim is to hijack and redirect user’s web browsers for monetary gain.”
AdLoad uses a variety of names and techniques to avoid detection, although it is not always successful. Stokes says that the versions reported to Apple in 2019 are now detected and blocked by XProtect. XProtect has 11 signatures that detect the previous version of AdLoad.
However, the AdLoad 2021 campaign shows a different approach. The files rely on the use of the filename extensions .system and .service. Those files are added to the Library LaunchAgents folder. It means they are loaded when the machine boots. To date, Stokes says that SentinelLabs has detected 50 unique items using the .system and .service extension.
When looking at the number of samples of AdLoad reported to VirusTotal, Stokes says 220 samples were reported. However, some of these are duplicates, and SentinelOne has refined it down to 150 unique samples. It also used research documented by analysts at Confiant to confirm that Apple is notarizing samples.
Enterprise Times: What does this mean?
This is a serious embarrassment for Apple and shows just how hard it is for the company to secure macOS. These samples have been in circulation for 10 months now, and during that time, Apple has issued several updates to macOS. For example, Since January 2021, there have been nine updates to macOS Big Sur, the latest on Aug 11, 2021. None of those has resolved this issue of XProtect detecting AdLoad.
Mac owners will be asking, how long before Apple solves this or buys a company that can? There are plenty of endpoint security vendors out there, although not all run on macOS. Even for those that do, they can be very resource-hungry, which is something that Apple will need to address.
Of more concern is Stokes’ closing statement: “As we indicated at the beginning of this post, this is only one campaign related to AdLoad that we are currently tracking. Further publications related to these campaigns are in progress.”