Macs Fail to Stop Even Basic Adware (Report)

  • MORE

Updated 5:30 p.m. Eastern Thursday with comment from Malwarebytes.

If you've been using a Mac for the past couple of years, you've probably noticed a sharp uptick in the number of potentially unwanted programs (PUPs) trying to tell you that your machine is infected, show you ads or hijack your browser's home page and search engine.

apple rotting shstIt may be because Apple's own defenses aren't working. It's too easy to "sign" dodgy software with a valid Apple developer certificate, which costs $99, and thus evade Apple's Gatekeeper security program. It's also too easy to create "new" adware or malware that slips pasts Apple's XProtect antivirus software.

A newly-found strain of macOS adware illustrates how weak Apple's own system protections are, and shows how easy it would be for truly malicious software to completely take over a Mac — even with third-party antivirus software installed.

MORE: Best Mac Antivirus Programs

The adware, called Mugthesec by Patrick Wardle, the Synack researcher who analyzed it in a blog posting Tuesday (Aug. 8), poses as an Adobe Flash Player installer in order to get the end user to authorize its installation. It may be an updated version of older Mac adware called OperatorMac.

Mugthesec bypasses Gatekeeper, which is meant to screen out this sort of thing, by using an Apple developer certificate. It then pulls down more unwanted programs, including a fake system optimizer, a search-engine hijacker and a travel-booking app, some of which install themselves as "launch agents" to run upon system startup.

Mugthesec also searches for the presence of certain brands of antivirus software — an evasion feature usually found only in true malware — but that may not be necessary quite yet.

"It's rather unsophisticated macOS malware, but ... at the time of this analysis, no anti-virus engines were detect[ing] it," Wardle wrote on his blog Tuesday.

Two days after Wardle wrote his post, we looked up the malware "hashes" on VirusTotal and found that only a few antivirus engines (ESET and Ikarus among them) were detecting either the Mugthesec installer or the software itself. More than 50 other engines just let it slide by. (Heuristic detectors on many products might catch it nevertheless by analyzing behavior and code, but some AV products choose to ignore stuff that isn't quite malware.)

But Gatekeeper and the antivirus products aren't completely to blame. Also at fault are Mac users, who seem to be more easily fooled by dodgy-looking apps than their Windows-using counterparts. Almost all Mac adware, no matter how skeevy, needs the end user to authorize its installation — and yet countless users give these products the green light.

If you think you're infected with Mugthesec, or its auxiliary programs Advanced Mac Cleaner, Safe Finder and Booking.com, Wardle offers some manual cleaning instructions:

  • Using the Terminal command-line interface, delete the Mugthesec launch agent by typing: "launchctl unload ~/Library/LaunchAgents/com.Mughthesec.plist"
  • In the Finder, locate and delete "~/Library/Application Support/com.Mughthesec/Mughthesec"
  • In the Finder, locate and delete "~/Library/LaunchAgents/com.Mughthesec.plist"
  • In Safari, and possibly in other browsers, delete the "Any Search" extension

To prevent infection by this sort of adware, and possibly much worse, don't blindly trust Gatekeeper that something you've downloaded from the internet is safe. If you do download a free program, check the fine print in the user agreement very carefully and look for checked boxes that permit installation of other software.

Don't accept the installation of anything you haven't asked for, including a system cleaner, a search-engine optimizer or a shopping assistant. And please do run Mac antivirus software — like Gatekeeper, it isn't perfect, but it's better than nothing.

Wardle himself offers nearly a dozen free Mac security tools on his website, including a malware scanner and an anti-ransomware tool.

"Existing [Mac] security/mitigation strategies are rather failing miserably," Wardle told ThreatPost. "Now most Mac adware/malware is just signed with [certificates]. So Gatekeeper is basically a moot point. Normal everyday users are still going to go around infecting themselves ... Gatekeeper/AV, etc., really don't offer any help."

An email seeking comment from Apple was not immediately returned.

Update: Thomas Reed, a Mac security researcher with Malwarebytes, informed us via Twitter that Malwarebytes software will detect Mugthesec.

Image credit: Songpholt/Shutterstock

Add a comment
5 comments
  • Matthew Says:

    What is your evidence for "Mac users, who seem to be more easily fooled by dodgy-looking apps than their Windows-using counterparts."? I support many home users, and in my experience, gullibility and poor security practices have nothing to do with a chosen computer platform. So again, what evidence do you base that claim on, or is it the author's personal bias?

  • SteveS Says:

    This is a very misleading article. For starters, existing anti-malware does detect this adware. Further, this is a Trojan which depends on the end user to provide authentication before installing. Yes, some people will be tricked by this, but social engineering is not a system security weakness.

  • Ed Hubble Says:

    You should probably correct this statement:

    "The adware, called Mugthesec by Patrick Wardle, the Synack researcher who analyzed it"

    The name isn't his, right?! It's the actual name of the malware. That's clear because it can be searched for using that name.

    As you wrote it, though, it makes it sound as if he were involved in either creating or naming the malware itself!

  • eropT Says:

    Even basic education will not help people who fell prey to these scarewares which will pop up when one's visit sites for movies.

  • Harvey Lubin Says:

    "poses as an Adobe Flash Player installer in order to get the end user to authorize its installation"

    Nothing new here. Intelligent people have known for a long time not to install Adobe Flash at all, or if you are going to install it make sure that it is directly from Adobe, and not from another unknown source.

    In fact, don't install any software from any source other than the developers' sites or from Apple's App Store.

    Adware on macOS doesn't install itself. It must be installed by an "admin" user, and requires their password to install it.

    The weak link here is the user. Unfortunately, users who let themselves get tricked into installing Trojans only have themselves to blame.

Back to top