A variant of the Crossrider adware has been spotted in the wild. It’s Mac Flash malware and different than the original breed because it installs certain configuration profiles to stay persistent (via Malwarebytes).
Mac Flash Malware
This strain of Crossrider comes in the form of a fake Adobe Flash Player installer. Pretty typical for macOS and nothing we haven’t seen before. But this one is a bit different. As you install it, it automatically installs Advanced Mac Cleaner, which uses Siri’s voice to tell you it found a problem.
But behind the scenes, it locks Safari’s homepage to a Crossrider domain, and can’t easily be changed. This is due to a configuration profile, which is a method that IT admins use to control the behavior of Macs in bulk, like in a company.
This configuration profile forces Safari and Chrome (if you have it installed) to always open a page at chumsearch.com. You can’t change it via Safari preferences, but you can find the profile by going to System Preferences > Profiles.
How to Remove It
Luckily, removing it is fairly straightforward and involves a couple of Terminal commands. If you’re on macOS 10.12 or earlier, use the command:
sudo profiles -L
Although this works on macOS 10.13, another command may be better:
sudo profiles list
Then, look for an unfamiliar profile. In this case, the identifier is com.myshopcoupon.www. On macOS 10.12 or earlier, type:
sudo profiles -R -p com.myshopcoupon.www
On macOS 10.13:
sudo profiles remove -identifier com.myshopcoupon.www
Other than that, the malware doesn’t seem to do much damage to your system. Additionally, for most users fake Adobe Flash Players are easy to avoid. Flash really isn’t needed anymore, but if you do need it, make sure to only download it from Adobe’s official website.