Fake Antivirus App Targets Mac Users for Extortion

A new Mac malware program has been released that uses a combination of techniques in an attempt to trick Mac users into installing the software. Once installed, the app masquerades as a “well designed Mac application,” according to antiviral company Intego, and simulates virus symptoms in order to convince the target to pay for the “full” version of the software to fight the otherwise non-existent virii.

The malware is named MAC Defender or MACDefender (Intego has named it “OSX/MacDefender.A”), intended to be confused for legit Mac security company, MacDefender. According to Intego, the makers of this app have used search engine optimization (SEO) techniques to boost malware websites to the top of Google and other search engine results for some searches.

If a Mac user then opens one of those malware sites in a browser, a fake Windows screen opens that shows a fake scan of your computer being conducted, along with a fake results window that tells you your Mac is infected. The malware site then used JavaScript to force a download of the actual malware app installer as a Zip file.

Which is where a user’s vigilance and security practices become part of the equation. If you have checked the “Open ‘safe’ files after downloading” option in your Safari preferences, the Zip file will open and the installer will run, inviting the the user to install the bogus “MACDefender Setup” app. If the user then gives the installer permission to do its job by entering their system administrator password, the malware is then installed.

The same thing would happen if the user double clicked or otherwise opened the Zip file.

This is where being a “well designed Mac application” comes into play, because this malware runs in the background, doesn’t have a Dock icon, and installs an official looking orange shield in your menu bar, as you can see in the image below posted by Intego. The software has a solid Mac look and feel, and the orange shield will glow red when it “detects” a virus, which it does as a matter of course, because it’s not actually checking for anything.

MACDefender Malware Screenshot

MACDefender Malware screenshot — note the orange shield in the menu bar.
Image courtesy of Intego.

The malware will also open up porn sites in your browser every few minutes to make you think that you’ve been infected with a virus. If you click the “Register” button in the malware, you will be allowed to pay for the “full” version which “removes” the virus by simply ceasing to simulate the virus symptoms.

Intego noted that these sorts of extortionist apps are common in the Windows world, but that this is the first one to target Mac users with a legitimate Mac look and feel.

“In the past,” the company wrote, “these types of sites—very common vectors of Windows malware—only delivered Windows .exe applications. The fact that such a site is providing a Mac rogue antivirus is new, and extremely rare. While the site itself still shows a fake Windows screen, the rogue antivirus itself is a well-designed Mac application.”

We should also note that this isn’t a virus, it’s malware that requires user permission to install itself and can only be propagated onto Macs with that permission. Simply having the file downloaded onto your Mac won’t harm it unless the user then installs the malware with their system admin password.

As part of its security warning, Intego said that its own antivirus software, VirusBarrier, will detect the malware on malicious sites and warn users not to install the malware if they begin the process of doing so.