Customize Your Input Devices

New “MacDefender” Malware Targets Mac Users

According to several discussion threads posted on Apple Support Communities, a new malware called is quickly spreading among Mac users using the Safari browser to visit certain websites, especially Google Images. The application, disguised as a virus scanning tool and completely unrelated with the official MacDefender software, gets installed automatically without a user’s consent upon opening a webpage, although it’s not clear what kind of websites allow this kind of installation, and whether MacDefender “phones home” once running on a Mac to download additional pieces of code (like most malwares on Windows do). Some users are reporting they found the app installed on their Macs after visiting webpages linked on Google Images, some say it’s only happening with the Safari desktop browser, others claim the app can’t be removed with a simple drag & drop to the system’s Trash as, once installed, the process will beging running automatically on OS X. Again, it’s not clear what kind of malware is and the proportion of this “spreading” across Mac OS X machines, but the number of threads on Apple Support Communities seems to suggest at least hundreds of people have experienced the issue in these past few days.

A few reports from ASC:

Mac Defender has appeared in my iMac (OS X 10.6.7). I tried to remove it by dragging the program to the trash from the applications folder, but I cant because the program is open. The program is pretending to be an antivirus program send $$, obviously a scam. I re-started but I cat stop it from loading.

There is very little info on this program out there ( Any ideas?

Same thing happened to my wife’s Macbook this morning. Definitely a scam; website to ‘register’ the software purports to be ‘secure’ but url is simple ip address without https. A scam to steal credit card info. Will follow directions to clean up as posted here.

Hi. I’m a brand new Mac user and got caught with this today when I tried to download a pdf file from google images. Since I’m so new to Mac I barely understand how to do anything. I’ve tried to follow all the treads but they are pretty complicated for a novice. I went into “Finder” and tried to trash the application, but can’t because it’s running.

Security company Intego reports the malware installation happens through SEO poisoning:

Intego has discovered a rogue anti-malware program called MACDefender, which attacks Macs via SEO poisoning attacks. When a user clicks on a link after performing a search on a search engine such as Google, this takes them to a web site whose page contains JavaScript that automatically downloads a file. In this case, the file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (Open “safe” files after downloading in Safari, for example), will open.

The Next Web offers some good tips to remove the fake MacDefender application from a Mac: fire up Activity Monitor and force quite the process, then delete the app from your /Applications folder. You’d also want to clean up your login items in the System Preferences > Account tab, and take a look inside /Library/StartupItems to remove related LaunchAgents and LaunchDaemons that might trigger MacDefender on login. Of course, applications like AppZapper and Hazel might be a good idea to find and delete all associated files when manually moving MacDefender to the trash. To prevent Safari from automatically opening “safe files” from the download queue in the future, make sure to uncheck the option in the browser’s settings.

Did you accidentally install on your system or found it already installed? Let us know in the comments, or drop a line in one of Apple Support Communities’ threads.

Unlock MacStories Extras

Club MacStories offers exclusive access to extra MacStories content, delivered every week; it’s also a way to support us directly.

Club MacStories will help you discover the best apps for your devices and get the most out of your iPhone, iPad, and Mac. It’ll also give you access to advanced iOS shortcuts, tips and tricks, and lots more.

Starting at $5/month, with an annual option available.

Join the Club.

A Club MacStories membership includes:

  • MacStories Weekly newsletter, delivered every week on Friday with app collections, tips, iOS workflows, and more;
  • MacStories Unplugged podcast, published monthly with discussions on what we’re working on and more;
  • Monthly Log newsletter, delivered once every month with behind-the-scenes stories, app notes, personal journals, and more;
  • Access to occasional giveaways, discounts, and free downloads.