Earlier this month, an adware installer was found to be taking advantage of the DYLD_PRINT_TO_FILE vulnerability in OS X.
Now Malwarebytes researcher Adam Thomas, who discovered that issue, has found a newer variant of this installer that's pulling some new tricks.
The latest installer is essentially the same as the last one, updated so that it will no longer be blocked by the OS X anti-malware protections. It has the same icon, installs the same things (Genieo, VSearch, MacKeeper), and directs the user to the App Store version of Download Shuttle.
When running the installer, it will ask for an admin password, then proceed to show license agreements for DealTop, OptimumSearch and MacKeeper. If the user agrees to all, the installer will seem to end at a prompt to open the App Store to download the Download Shuttle app.
However, in the background, an observant user will notice a new disk image, called "Installer," being mounted. Shortly after, something unusual happens, as seen in this brief video:
Did you blink? If so, you may have missed seeing OS X ask if it's okay to allow something called Installer to access the keychain:
Displayed by a fake Download Shuttle installer
What's so interesting about this, you may ask? Quite simply, the fact that the Allow button in the alert is automatically clicked as soon as it appears!
It turns out that the fake Download Shuttle installer downloads another disk image file (named gn.dmg) in the background, opens it and runs an app named Installer that is in the disk image. When that Installer app finishes its tasks, the disk image is unmounted (eg, "ejected") and the gn.dmg file is deleted.
This Installer app contains the code that Adam identified, to locate the Allow button from this keychain alert on the screen, and to simulate a click on that button.
It looks like this Installer app is using this hack to gain access to the Safari Extensions List in the keychain, for the purpose of installing a Genieo Safari extension (named Leperdvil, in this case).
This seems like an unnecessary hack, considering that Genieo installers have been installing Safari extensions for years. Perhaps it's an attempt to get around changes to handling of Safari extensions in the upcoming El Capitan (OS X 10.11).
More concerning, though, is the question of what's to stop this adware from accessing other confidential keychain information... like, say, passwords?
With a few minor changes, the adware could get access to other things from the keychain, like the user's iCloud password. The user may be made suspicious by the window flashing up then disappearing, but may not know what the full implications of that are or what to do about it.
When considering the potential nefarious uses for this code, it's worth noting that the Leperdvil app that gets installed in the Applications folder also contains this same code, as does the Uninstall Leperdvil app installed elsewhere in the user's home folder. What those apps do with that code is unclear.
Worse, it turns out this code can be found in the apps installed as part of nearly every variant of Genieo going back to at least early June, if not longer.
Also interesting is the fact that Webroot researchers have discovered a similar installer that exhibited different behavior: modifying the exclusions list in AdBlock Plus to ensure that ads being pushed by the adware are not blocked. The samples found by Adam Thomas, however, do not appear to include this behavior.
As adware for the Mac becomes increasingly prevalent and sneaky, it's important for users to understand how to protect themselves. Because the one thing all the recent adware installers have in common: they rely on being able to trick the user into running the installer.