Mac Adware Trojan Can Install Anything on OS X

A new installer of potentially unwanted programs for Apple's Mac OS X crosses the line into full-blown malware, installing any number of dubious applications and deliberately evading antivirus software, Russian antivirus firm Dr. Web reports.

Most potentially unwanted programs, otherwise known as PUPS, adware or "crapware," are annoying but legal. They include dubious "system optimizers" and security software, plus browser extensions that reset home pages or hijack search results. PUPs come discreetly bundled with desired pieces of software found online, and install themselves by "borrowing" the permissions granted by users to that software.

MORE: Best Identity-Theft Protection Services

PUPs usually aim to put ads on computer screens or to sell people unnecessary software. Adware.Mac.InstallCore.1, as described in a Dr. Web blog posting this week, is different. It's true malware, a Trojan horse that masquerades as something else – in this case, either Adobe Flash Player or the shareware OS X media player MPlayerX. (Some online reports say MPlayerX is itself adware, but it's been vetted by Apple and is in the Mac App Store.)

As of now, the pieces of software that Adware.Mac.InstallCore.1 installs are relatively benign. But with the flick of a switch, it could infect Macs with truly malicious software, such as keyloggers, banking Trojans, encrypting ransomware or disk wipers (one of which destroyed thousands of PCs at Sony Pictures Entertainment last fall). Regular PUPs rarely do this because their makers and distributors can usually be found, fined, prosecuted or sued.

Once the user lets Adware.Mac.InstallCore.1 install, the first thing it does is check for the presence of Mac antivirus programs made by AVG, Avast, Bitdefender, Comodo, ESET, F-Secure, Intego, Kaspersky Lab, Sophos or Symantec, as well as for the open-source antivirus program ClamXav. It also checks for signs that the machine might be used by security researchers, such as whether OS X is running in a virtual machine or with developer tools.

If it finds any of these, Adware.Mac.InstallCore.1 stops installing. If not, then it reaches out to the Internet and installs up to 10 different unwanted programs, including system optimizers, security software, media players and browser hijackers. Most of the programs are legal, but you probably won't want them on your system.

These installers get past OS X's Gatekeeper software by presenting bogus or stolen digital certificates of authentication. One belongs to the Chinese creator of the real MPlayerX software; two others use the names of American men identified in news reports as suspects in murder cases. (One had his sentence overturned and was released from prison.)

To block Adware.Mac.InstallCore.1 and other unwanted programs, install an antivirus program on your Mac, and keep it updated. Some of the best Mac AV software is free, so there's no excuse to not use it. Many dangerous pieces of OS X malware have appeared in the past few years, and more can be expected as Apple's OS X user base continues to grow.

If you've already been infected by adware or other PUPs, try installing and running CCleaner for Mac. You can also try resetting your browser; here are instructions for Mozilla Firefox and Google Chrome. Apple used to allow an easy reset of Safari, but took it away with OS X 10.10 Yosemite; as a replacement, it offers a rather complicated set of procedures on the Apple support website.

Finally, be very careful about what you download and install from the Internet. This nasty Trojan takes advantage of weaknesses in Mac users' alertness, not the OS X software itself.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.