Apple Mac Adware OSX.Pirrit Returns With Vengeance

OSX.Pirrit adware exploits AppleScript to spy on Apple Mac users, yet adtech creators deny it is malware

Users of Apple Macs are being warned about the return of a “very nasty piece of adware” that targets the Mac OS operating system.

The warning comes from Cybereason, which found that the adware has been adapted and has returned for the third time since it was first spotted back in April 2016.

The adware, dubbed OSX.Pirrit, has some truly nasty elements, in that it doesn’t just flood infected Apple Mac computers with adverts, but it contains “characteristics usually seen in malware”. It also has the ability to obtain root access on the infected machine.

iMac Pro display


Mac Adware

Cybereason said that it had first analysed OSX.Pirrit back in April 2016, and several months after that discovered new variants were in the wild.

“While OSX.Pirrit’s main goal was to display ads, the way it did this contains many practices borrowed from traditional malware,” blogged Amit Serper, principal security researcher at Cybereason. “Ultimately, OSX.Pirrit’s code had the potential to carry out much more malicious activities.”

Over a year later Serper decided to recheck on the status of OSX.Pirrit, and was alarmed at the results.

“Curious to see if OSX.Pirrit was still alive and spreading, I recently started to research it again,” he blogged. “And, to my surprise, it’s very active. Not only is it still infecting people’s Macs, OSX.Pirrit’s authors learned from one of their mistakes.”

He warned that the adware’s authors (an adtech company called TargetingEdge) had reprogrammed the adware.

The old version of OSX.Pirrit used rogue browser plug-ins or installed a proxy server on the victim’s machine in order to hijack the browser. But the new version of OSX.Pirrit “uses (or shall I say abuses) AppleScript, Apple’s scripting/automation language,” he wrote.

“And, like its predecessors, this variant is nasty, “he warned. “In addition to bombarding people with ads, it spys on them and runs under root privileges.”

Not Malware?

TargetingEdge has apparently for the past couple of weeks tried to prevent Cybereason’s Serper from publishing his research.

“Cybereason has received a few cease and desist letters from a firm claiming to be TargetingEdge’s legal counsel,” wrote Serper. “The letters demand that we stop referring to TargetingEdge’s software as malware and refrain from publishing this report.”

TargetingEdge for its part insists it develops and operates a ‘legitimate and legal installer product for MAC users,” and is not malware and doesn’t include any features of malware.

But Serper points out that Cybereason isn’t the only firm to identify OSX.Pirrit as a threat, and said that “twenty-eight other antivirus engines on Virus Total also classify it as such.”

He warned that OSX.Pirrit exploits AppleScript and injects JavaScript code directly into the browser.

Serper said that OSX.Pirrit “is a great example of how an adtech company is borrowing nefarious tactics found in malware to make it hard for antivirus software and other security products to detect them.”

“There is no difference between traditional malware that steals data from its victims and adware that spies on people’s Web browsing and target them with ads, especially when those ads are for either fake antivirus programs or Apple support scams.

“As for OSX.Pirrit malware, it runs under root privileges, creates autoruns and generates random names for itself on each install. Plus, there are no removal instructions and some of its components mask themselves to appear like they’re legitimate and from Apple.”

Apple Security

Apple’s security credentials have been taking a large hit as more and more malware and vulnerabilities are discovered.

In August for example Malwarebytes warned Apple Mac users that the days of their devices being relatively safe from malware were long over. It found that more Mac malware had been detected in Q2 2017 than in all of 2016.

Last month Apple itself patched a serious root bug that could have allowed anyone to access a Mac system, but it turns out the problem could return when the official Apple fix was applied.

And in October a flaw was discovered that could have allowed anyone to gain access to encrypted hard disk volumes. That issue meant that when a user requested a password hint for certain encrypted volumes the operating system instead displayed the entire password.

Silicon UK approached Apple for comment on the latest OSX.Pirrit malware, but received no reply.

Do you know all about security in 2017? Try our quiz!