Macs Fail to Stop Even Basic Adware (Report)

Updated 5:30 p.m. Eastern Thursday with comment from Malwarebytes.

If you've been using a Mac for the past couple of years, you've probably noticed a sharp uptick in the number of potentially unwanted programs (PUPs) trying to tell you that your machine is infected, show you ads or hijack your browser's home page and search engine.

It may be because Apple's own defenses aren't working. It's too easy to "sign" dodgy software with a valid Apple developer certificate, which costs $99, and thus evade Apple's Gatekeeper security program. It's also too easy to create "new" adware or malware that slips pasts Apple's XProtect antivirus software.

A newly-found strain of macOS adware illustrates how weak Apple's own system protections are, and shows how easy it would be for truly malicious software to completely take over a Mac — even with third-party antivirus software installed.

MORE: Best Mac Antivirus Programs

The adware, called Mugthesec by Patrick Wardle, the Synack researcher who analyzed it in a blog posting Tuesday (Aug. 8), poses as an Adobe Flash Player installer in order to get the end user to authorize its installation. It may be an updated version of older Mac adware called OperatorMac.

Mugthesec bypasses Gatekeeper, which is meant to screen out this sort of thing, by using an Apple developer certificate. It then pulls down more unwanted programs, including a fake system optimizer, a search-engine hijacker and a travel-booking app, some of which install themselves as "launch agents" to run upon system startup.

Mugthesec also searches for the presence of certain brands of antivirus software — an evasion feature usually found only in true malware — but that may not be necessary quite yet.

"It's rather unsophisticated macOS malware, but ... at the time of this analysis, no anti-virus engines were detect[ing] it," Wardle wrote on his blog Tuesday.

Two days after Wardle wrote his post, we looked up the malware "hashes" on VirusTotal and found that only a few antivirus engines (ESET and Ikarus among them) were detecting either the Mugthesec installer or the software itself. More than 50 other engines just let it slide by. (Heuristic detectors on many products might catch it nevertheless by analyzing behavior and code, but some AV products choose to ignore stuff that isn't quite malware.)

But Gatekeeper and the antivirus products aren't completely to blame. Also at fault are Mac users, who seem to be more easily fooled by dodgy-looking apps than their Windows-using counterparts. Almost all Mac adware, no matter how skeevy, needs the end user to authorize its installation — and yet countless users give these products the green light.

If you think you're infected with Mugthesec, or its auxiliary programs Advanced Mac Cleaner, Safe Finder and Booking.com, Wardle offers some manual cleaning instructions:

  • Using the Terminal command-line interface, delete the Mugthesec launch agent by typing: "launchctl unload ~/Library/LaunchAgents/com.Mughthesec.plist"
  • In the Finder, locate and delete "~/Library/Application Support/com.Mughthesec/Mughthesec"
  • In the Finder, locate and delete "~/Library/LaunchAgents/com.Mughthesec.plist"
  • In Safari, and possibly in other browsers, delete the "Any Search" extension

To prevent infection by this sort of adware, and possibly much worse, don't blindly trust Gatekeeper that something you've downloaded from the internet is safe. If you do download a free program, check the fine print in the user agreement very carefully and look for checked boxes that permit installation of other software.

Don't accept the installation of anything you haven't asked for, including a system cleaner, a search-engine optimizer or a shopping assistant. And please do run Mac antivirus software — like Gatekeeper, it isn't perfect, but it's better than nothing.

Wardle himself offers nearly a dozen free Mac security tools on his website, including a malware scanner and an anti-ransomware tool.

"Existing [Mac] security/mitigation strategies are rather failing miserably," Wardle told ThreatPost. "Now most Mac adware/malware is just signed with [certificates]. So Gatekeeper is basically a moot point. Normal everyday users are still going to go around infecting themselves ... Gatekeeper/AV, etc., really don't offer any help."

An email seeking comment from Apple was not immediately returned.

Update: Thomas Reed, a Mac security researcher with Malwarebytes, informed us via Twitter that Malwarebytes software will detect Mugthesec.

Image credit: Songpholt/Shutterstock