Shlayer Snuck Through Apple's Software Vetting Process
Malware known as Shlayer managed to slip past Apple's software vetting process. Apple established an automated notarization process in February 2020; developers submit software to be notarized. If the software passes the checks, macOS Gatekeeper allows it to run.
Apple has been clear from the start that notarization does not equal application testing. Pretty much like in the real world where notary publics don't actually quiz you to make sure you really are you, they just check a few documents and notarize that the documents you showed them match the identity you are claiming. Apps do get tested for inclusion in the app store - you can limit Macs to only allowing apps to be downloaded from the App Store. That app testing has been pretty good but not perfect either. The MacOS layers of protection do lower the malware risk significantly, but Macs used for business purposes should also have malware protection installed.
Shawn Geddis, Security and Certifications Engineer at Apple, briefed me on application notarization last year. He explained that notarized applications are checked for malicious components and that the developer ID is confirmed; what is provided back to the developer is the Notarization for that App. Notarization is not App Review, nor is source code shared with Apple. The Application is then distributed by the developer through whatever means necessary to all of its users. Notarized Applications are verified and allowed to run on macOS because it can be attested that they do not contain identifiable malicious components. This is an extension of what has been taking place with gatekeeper data within macOS for some time. Even so, as John states, it is still a good idea to have additional anti-malware protections for defense in depth.
Notarization speaks to attribution, not quality, not motive or intent.
William Hugh Murray
Read more in
Bleeping Computer: Malware authors trick Apple into trusting malicious Shlayer apps