No 9to5Mac reader is going to be at risk from malware that directs users to a scam website and asks them to download software, but Malwarebytes has discovered a previously unknown piece of Mac malware that could easily fool less technical users.
Thomas Reed, lead researcher at Malwarebytes, told us that he found the malware on a scam page hosted on the official Advanced Mac Cleaner website …
It does rely on a naive user approving a request to install Advanced Mac Cleaner on their machine, but doing so also installs a second app known as Mac File Opener. Reed said that it wasn’t initially obvious how the app could force users to launch it.
Even more intriguing, this app didn’t have any apparent mechanism for being launched. It hadn’t been added to my login items. There wasn’t a new launch agent or daemon designed to load it. It simply seemed to be sitting there, doing nothing.
But some digging found that the Info.plist file within the app defined a list of 232 different file types that it claimed to be able to open. If a user tries to open a file for which they don’t have a corresponding app, it will be opened by Mac File Opener which then presents a reasonably convincing fake version of the normal OS X dialog box advising that no suitable app is installed.
The fake dialog box links to the macfileopener[dot]com website, which downloads other junk PCVARK apps, such as Mac Adware Remover or Mac Space Reviver. All the apps have a valid, Apple-provided developer certificate, so OS X will happily install them without any warning.
It may be worth reminding your less-technical friends to stick to the official Mac App Store, and to ensure that they check for the above fake dialog trying to direct them to the web. Although there is very little Mac malware in the wild, examples do exist, along with a fair sprinkling of scamware.