Adware has long been a serious annoyance among computer users who frequently surf the internet. The changes of coming across some form of adware or advertisement pop-ups when surfing the internet is nearly an inevitable situation; it is going to happen if you like it or not. In the latest development and evolution of adware, cybercrooks are facilitating the distribution of Trojans through adware threats on Mac computers.
A relatively new malware threat called Adware.Mac.WeDownload.1 was first noticed on the WeDownload.com site packed with a modified version of Adobe Flash Player. Within the adware package, the software signature was signed with "Developer ID Application: Simon Max (GW6F4C87KX)" and actively distributed as part of a shady affiliate program rewarding developers based on their download numbers.
The adware, after distributed and initiated, has been known to ask for administrator privileges on a system that is infected with the software. Through this permission, the adware attempts to load a Flash Player package, which is a commonly used method for scrupulously installing malware onto a computer by use of a bogus Flash Player install or update.
Once access is granted through the adware's prompt to install Flash Player, the communication with a command and control server is then initiated where the user may be later prompted to install all sorts of other applications. The majority of the apps have been found to be some type of Trojan mimicking the name of well-known Mac security products, such as .MacKeeper, Genieo, Crossrider, and OpinionSpy. Some of the other apps may be harmless, but their intention is questionable at best as some will ask that they be paid for to complete a certain function on the infected computer.
The prompt to install many of the previously mentioned Trojans is a clever trick that may fool computer users to think that they are permitting a well-known security program to install, such as MacKeeper. In many instances of the Adware authorizing installation of its associated Trojan horse threats, it loads up a pop-up window with the bogus claim of installing a trusted application, such as demonstrated in Figure 1. below to supposedly install the MacKeeper program.
Figure 1. Example of Mac Adware threat 'Adware.Mac.WeDownload.1' displaying deceptive MacKeeper install pop-up message. - Image source: Dr. Web
Diving deeper into the ploy of Mac adware installing Trojan threats, it was revealed that instances of the threat are customized according to the location of the infected computer. This peculiar strategy gives way for the Trojan horse threats to eventually carry out malicious actions. Some of those actions include allowing remote attackers to gain access to the infected Mac computer or download instructions from its c&c server to conduct illegal activities on the internet without giving any indication to the computer user.
Macs running OS X have a history of being more secure when it comes to malware infections when compared to systems running Windows. However, in the full scheme of new aggressive malware threats, there are many instances where Mac users will need to protect their systems in some fashion. Case in point, this latest Adware.Mac.WeDownload.1 adware threat is causing a serious ruckus on Mac computers around the world.