Fake Antivirus App Targets Mac Users for Extortion

| News

A new Mac malware program has been released that uses a combination of techniques in an attempt to trick Mac users into installing the software. Once installed, the app masquerades as a “well designed Mac application,” according to antiviral company Intego, and simulates virus symptoms in order to convince the target to pay for the “full” version of the software to fight the otherwise non-existent virii.

The malware is named MAC Defender or MACDefender (Intego has named it “OSX/MacDefender.A”), intended to be confused for legit Mac security company, MacDefender. According to Intego, the makers of this app have used search engine optimization (SEO) techniques to boost malware websites to the top of Google and other search engine results for some searches.

If a Mac user then opens one of those malware sites in a browser, a fake Windows screen opens that shows a fake scan of your computer being conducted, along with a fake results window that tells you your Mac is infected. The malware site then used JavaScript to force a download of the actual malware app installer as a Zip file.

Which is where a user’s vigilance and security practices become part of the equation. If you have checked the “Open ‘safe’ files after downloading” option in your Safari preferences, the Zip file will open and the installer will run, inviting the the user to install the bogus “MACDefender Setup” app. If the user then gives the installer permission to do its job by entering their system administrator password, the malware is then installed.

The same thing would happen if the user double clicked or otherwise opened the Zip file.

This is where being a “well designed Mac application” comes into play, because this malware runs in the background, doesn’t have a Dock icon, and installs an official looking orange shield in your menu bar, as you can see in the image below posted by Intego. The software has a solid Mac look and feel, and the orange shield will glow red when it “detects” a virus, which it does as a matter of course, because it’s not actually checking for anything.

MACDefender Malware Screenshot

MACDefender Malware screenshot — note the orange shield in the menu bar.
Image courtesy of Intego.

The malware will also open up porn sites in your browser every few minutes to make you think that you’ve been infected with a virus. If you click the “Register” button in the malware, you will be allowed to pay for the “full” version which “removes” the virus by simply ceasing to simulate the virus symptoms.

Intego noted that these sorts of extortionist apps are common in the Windows world, but that this is the first one to target Mac users with a legitimate Mac look and feel.

“In the past,” the company wrote, “these types of sites—very common vectors of Windows malware—only delivered Windows .exe applications. The fact that such a site is providing a Mac rogue antivirus is new, and extremely rare. While the site itself still shows a fake Windows screen, the rogue antivirus itself is a well-designed Mac application.”

We should also note that this isn’t a virus, it’s malware that requires user permission to install itself and can only be propagated onto Macs with that permission. Simply having the file downloaded onto your Mac won’t harm it unless the user then installs the malware with their system admin password.

As part of its security warning, Intego said that its own antivirus software, VirusBarrier, will detect the malware on malicious sites and warn users not to install the malware if they begin the process of doing so.

Popular TMO Stories



Uuhhh… just another piece of malware aimed at windoze users then, ‘cos no right thinking mac user is gonna buy anti-virus software. Funny how many anti-virus ads pepper the screen around this post!


Just a matter of time.

Apparently, there is a fully functional kit that allows you to build your own malware expressly for the Mac OS.

We may be seeing more in future.


Majority of Mac users I’ve met are clueless about these sorts of things. All they know is “Macs don’t get Viruses” and go about their merry way, never mind that Macs do get Trojans, Worms, and Rootkits.

It’s sad when the Teenie Bopper gets her first Rootkit and can’t figure out why her CD-ROM drive isn’t working any more.


It?s sad when the Teenie Bopper gets her first Rootkit and can?t figure out why her CD-ROM drive isn?t working any more

True, however some schools are doing a fair job of educating kids about internet best practices, including the differences between trojans, worms and rootkits - and precautions to avoid them. I’ve been impressed with what my own kids have been taught in school.

That doesn’t obviate one’s role as a parent, however, to instruct (and monitor) one’s kids on internet and computer use, as with anything else that comes with risks and benefits.

Your point is well taken, however; complacency is never a safe haven.


I did a search on the Apple Support discussion website and it looks like MAC Defender has been downloaded by a lot of people.

So, MAC Defender seems to be the first widespread malware on OSX.

However, I do think Apple could slow down the malware method used by MAC Defender by changing a default on Safari through an update.

- Right now if a browser used by a Mac user is Safari the default setting is to ‘open safe files after downloading’.

- This Safari default setting will unzip archives; and will open the installer.app, which will offer the user the option to install it. Some people who have installed MAC Defender have been fooled by the standard install screen telling them to install the program.

* Imo Apple should do an update to Safari asap to turn off ‘open safe files after downloading’ as the default.


bb-15 said on May 4th, 2011 at 3:20 AM (Edited: 05/04/2011 3:24 AM):

I did a search on the Apple Support discussion website and it looks like MAC Defender has been downloaded by a lot of people.

Perhaps the most obvious lesson to learn from this is how keen the less knowledgeable are to believe that they need anti-virus software. Perhaps the media could advertise this as a valuable lesson to those who blindly follow instructions rather than pursuing their own learning plan.

I’d imagine that the majority of the afflicted aren’t even aware of the difference between a trojan and a virus - perhaps they aren’t even aware of the greek myth about the trojan horse!

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account