Apple Finally Admits MacDefender Malware Threat

After days of silence, Apple has posted instructions on how to remove the MacDefender fake antivirus scareware

Apple has finally broken its silence on the MacDefender scareware and other fake AV variants that have been making the rounds recently. The company promised a Mac OS X update to remove the malware.

Apple will deliver a Mac OS X software update “in the coming days” that will automatically find and remove MacDefender malware and its known variants, Apple said in a support document dated 24 May. The update will also provide an explicit warning if the user downloads the malware in the future.

In the document titled, “How to avoid or remove Mac Defender malware,” Apple acknowledged the scam’s existence and outlined steps on avoiding installing the software, deleting it before it is installed and uninstalling if it’s already on the machine.

“This ‘anti-virus’ [MacDefender] software is malware (i.e. malicious software).  Its ultimate goal is to get the user’s credit card information, which may be used for fraudulent purposes,” Apple wrote.

First public admission

This is the company’s first public admission that malware exists for the Mac OS X platform. Apple created a “false sense of security” through its marketing and advertisements, suggesting Apple users are immune to security threats, Chester Wisniewski, senior security adviser at Sophos, told eWEEK.

“Now that some of their flock are affected, it would be good of them to at least point people in the right direction,” Wisniewski said.

There are several variants of the fake AV for Mac OS X currently in circulation, with names such as MacDefender, MacProtector, MacSecurity and Apple Security Center, according to Dan Clark, vice president of marketing at ESET. Most users are scammed when they are redirected from legitimate websites to fake sites that warn them the computer is “infected” with a virus and are told to enter a credit card number to purchase an antivirus solution. MacDefender also opens up pop-ups with adult content ads every few minutes to strengthen the impression that the users need MacDefender.

Apple warned users against providing credit card information or entering their administrator password when prompted by the software installer.

Avoiding the issue

Apple had remained silent over the past few days after ZDNet’s Ed Bott published a transcript of a conversation with an AppleCare representative and a copy of an internal memo where Apple instructed its support employees not to acknowledge the existence of MacDefender or to offer any assistance in removing the malware.

Users can avoid getting scammed midattack if they force quit their browsers as soon as they see the phony notifications. Because the malware attaches itself to the launch menu and has no dock icon, it is difficult to quit in the normal way, according to Mac security firm Intego.

Apple originally instructed its employees to not teach users how to force quit if they realise that the user was calling about MacDefender. In the latest support document, Apple instructed users how to force quit, delete the downloaded malware and uninstall the software.

A new MacDefender variant has emerged that is more dangerous than the other versions because it does not need a password to be installed, Intego warned on 25 May. Like most Mac OS X applications, MacDefender and others require users to enter the administrator password to authorise the software installer.

MacGuard executes if the user has the “Open ‘safe’ files after downloading” option checked in Safari and does not require any administrator password to install in the Applications folder, Intego said. If the user sees something that looks like a Finder window claiming to be scanning the Mac, “know that this is bogus,” Intego said.

Up to a quarter of a million affected

The scam is pretty widespread, with links on Google image searches and other legitimate pages, although it appears that Google has been able to track down and remove a number of malicious links. Bott estimated that the total number of customers affected could be between 60,000 and 125,000, “and growing.”

The malware’s name and user interface are going to change continuously, so Mac users should be on the lookout for the type of behaviour where an application is going to ask for the credit card number, ESET’s Clark said. “There is no legitimate antivirus or security software that alerts you through a browser that malware of any type has been detected then tries to install itself,” Clark said.

Rogue AV has long been a problem for Windows users. Regardless of the platform, all users now need to be security-conscious, according to Wisniewski. “When enough people let their guard down, they are easy targets and criminals will take advantage of the lowest hanging fruit,” said Wisniewski.