This Week's Sponsor:

Incogni

Put an End to Spam, Scams, and Robocalls on Your iPhone

New “MacDefender” Malware Targets Mac Users

According to several discussion threads posted on Apple Support Communities, a new malware called MacDefender.app is quickly spreading among Mac users using the Safari browser to visit certain websites, especially Google Images. The application, disguised as a virus scanning tool and completely unrelated with the official MacDefender software, gets installed automatically without a user’s consent upon opening a webpage, although it’s not clear what kind of websites allow this kind of installation, and whether MacDefender “phones home” once running on a Mac to download additional pieces of code (like most malwares on Windows do). Some users are reporting they found the app installed on their Macs after visiting webpages linked on Google Images, some say it’s only happening with the Safari desktop browser, others claim the app can’t be removed with a simple drag & drop to the system’s Trash as, once installed, the process will beging running automatically on OS X. Again, it’s not clear what kind of malware MacDefender.app is and the proportion of this “spreading” across Mac OS X machines, but the number of threads on Apple Support Communities seems to suggest at least hundreds of people have experienced the issue in these past few days.

A few reports from ASC:

Mac Defender has appeared in my iMac (OS X 10.6.7). I tried to remove it by dragging the program to the trash from the applications folder, but I cant because the program is open. The program is pretending to be an antivirus program send $$, obviously a scam. I re-started but I cat stop it from loading.

There is very little info on this program out there (MacDefender.app). Any ideas?

Same thing happened to my wife’s Macbook this morning. Definitely a scam; website to ‘register’ the software purports to be ‘secure’ but url is simple ip address without https. A scam to steal credit card info. Will follow directions to clean up as posted here.

Hi. I’m a brand new Mac user and got caught with this today when I tried to download a pdf file from google images. Since I’m so new to Mac I barely understand how to do anything. I’ve tried to follow all the treads but they are pretty complicated for a novice. I went into “Finder” and tried to trash the application, but can’t because it’s running.

Security company Intego reports the malware installation happens through SEO poisoning:

Intego has discovered a rogue anti-malware program called MACDefender, which attacks Macs via SEO poisoning attacks. When a user clicks on a link after performing a search on a search engine such as Google, this takes them to a web site whose page contains JavaScript that automatically downloads a file. In this case, the file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (Open “safe” files after downloading in Safari, for example), will open.

The Next Web offers some good tips to remove the fake MacDefender application from a Mac: fire up Activity Monitor and force quite the process, then delete the app from your /Applications folder. You’d also want to clean up your login items in the System Preferences > Account tab, and take a look inside /Library/StartupItems to remove related LaunchAgents and LaunchDaemons that might trigger MacDefender on login. Of course, applications like AppZapper and Hazel might be a good idea to find and delete all associated files when manually moving MacDefender to the trash. To prevent Safari from automatically opening “safe files” from the download queue in the future, make sure to uncheck the option in the browser’s settings.

Did you accidentally install MacDefender.app on your system or found it already installed? Let us know in the comments, or drop a line in one of Apple Support Communities’ threads.

Join

Access Extra Content and Perks

Founded in 2015, Club MacStories has delivered exclusive content every week for nearly a decade.

What started with weekly and monthly email newsletters has blossomed into a family of memberships designed every MacStories fan.

Learn more here and from our Club FAQs.

Club MacStories: Weekly and monthly newsletters via email and the web that are brimming with apps, tips, automation workflows, longform writing, early access to the MacStories Unwind podcast, periodic giveaways, and more;

Club MacStories+: Everything that Club MacStories offers, plus an active Discord community, advanced search and custom RSS features for exploring the Club’s entire back catalog, bonus columns, and dozens of app discounts;

Club Premier: All of the above and AppStories+, an extended version of our flagship podcast that’s delivered early, ad-free, and in high-bitrate audio.

Federico is the founder and Editor-in-Chief of MacStories, where he writes about Apple with a focus on apps, developers, iPad, and iOS productivity. He founded MacStories in April 2009 and has been writing about Apple since. Federico is also the co-host of AppStories, a weekly podcast exploring the world of apps, Unwind, a fun exploration of media and more, and NPC: Next Portable Console, a show about portable gaming and the handheld revolution.

@viticci
@viticci
@[email protected]
@viticci.macstories.net
[email protected]