Notarized Atomic Stealer (AMOS)
After downloading and inspecting the binary, we confirmed that it was indeed both code-signed and notarized — a detail that raised immediate concern given its malicious nature.
[…]
The application itself is named “Gmeet_updater.app,” though there’s little effort to align that branding with the user experience, suggesting a rushed or careless repackaging process.
After confirming that the Developer Team ID was used to distribute malicious payloads, Jamf Threat Labs reported it to Apple. Since then, the associated certificate appears to have been revoked.
[…]
Jamf Threat Labs identified at least three distinct macOS infostealer samples that were successfully signed and notarized using the same Team ID (A2FTSWF4A2) and later distributed in the wild.
Notarization is a sad story. It doesn’t provide great security and is a barrier for many groups of people (young, indie, game developers, developers whose primary platform is not the Mac, etc…) to publish an app on the Mac. If Apple wants more games on the Mac, the first step is to make notarization free. Just make it free.
Or just get rid of it? It’s still a major pain, adding time and friction to each build. The notarization server still goes down at the most inconvenient times. There are some basic package structure and code signing checks that are useful, but these would be better if made available locally as part of Xcode. It’s not clear to me that the malware checks are adding much value over what we already get from code signing and macOS’s built-in malware detection.
I’ve lost this week trying to get my macOS app notarized
Notarization jobs would just stall and get stuck on Xcode for days!
So I wrote an email to Apple Developer Support
And the next thing I know is they TERMINATED my entire Developer Account?!
Previously:
- Locked Out of Apple Developer Accounts
- Sequoia Removes Gatekeeper Contextual Menu Override
- More Notarized Mac Malware
- Notarized Mac Malware
- The True and False Security Benefits of Mac App Notarization
