OSX.SearchAwesome

detection icon

Short bio

OSX.SearchAwesome is Malwarebytes’ detection name for an adware that targets macOS systems.

Symptoms

Users of affected systems may see these warnings during install:

osx.searchawesome install
osx.searchawesome install

Type and source of infection

OSX.SearchAwesome is installed as a second stage infection, downloaded by another malicious installer, typically a supposed cracked app from a torrent. OSX.SearchAwesome installs a certificate to be used for a man-in-the-middle (MitM) attack, where malware is able to insert itself into a chain of custody somewhere, typically with network packets. In this case, the malware uses the certificate as the first step in gaining access to https traffic, which is normally encrypted between the browser and the website and can’t be viewed by other software. To establish this it uses mitmproxy, a legitimate open-source tool.

Aftermath

After removal mitmproxy will be left behind because this is a legitimate tool. But the presence of the tool and its certificate opens up the affected system to future infections as the user may be unaware of its presence.

Remediation

Malwarebytes for Mac will detect and remove the components of this malware, which is detected as OSX.SearchAwesome. However, it will not remove the components of mitmproxy, since that is a legitimate open-source tool. If you are infected, you should remove the mitmproxy certificate from the keychain (using Keychain Utility).

detection icon

Related blog content

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams