THIS WEEK'S SPONSOR:

Kolide

The fleet visibility solution for Mac, Windows, and Linux that can help you securely scale your business


New “MacDefender” Malware Targets Mac Users

According to several discussion threads posted on Apple Support Communities, a new malware called MacDefender.app is quickly spreading among Mac users using the Safari browser to visit certain websites, especially Google Images. The application, disguised as a virus scanning tool and completely unrelated with the official MacDefender software, gets installed automatically without a user’s consent upon opening a webpage, although it’s not clear what kind of websites allow this kind of installation, and whether MacDefender “phones home” once running on a Mac to download additional pieces of code (like most malwares on Windows do). Some users are reporting they found the app installed on their Macs after visiting webpages linked on Google Images, some say it’s only happening with the Safari desktop browser, others claim the app can’t be removed with a simple drag & drop to the system’s Trash as, once installed, the process will beging running automatically on OS X. Again, it’s not clear what kind of malware MacDefender.app is and the proportion of this “spreading” across Mac OS X machines, but the number of threads on Apple Support Communities seems to suggest at least hundreds of people have experienced the issue in these past few days.

A few reports from ASC:

Mac Defender has appeared in my iMac (OS X 10.6.7). I tried to remove it by dragging the program to the trash from the applications folder, but I cant because the program is open. The program is pretending to be an antivirus program send $$, obviously a scam. I re-started but I cat stop it from loading.

There is very little info on this program out there (MacDefender.app). Any ideas?

Same thing happened to my wife’s Macbook this morning. Definitely a scam; website to ‘register’ the software purports to be ‘secure’ but url is simple ip address without https. A scam to steal credit card info. Will follow directions to clean up as posted here.

Hi. I’m a brand new Mac user and got caught with this today when I tried to download a pdf file from google images. Since I’m so new to Mac I barely understand how to do anything. I’ve tried to follow all the treads but they are pretty complicated for a novice. I went into “Finder” and tried to trash the application, but can’t because it’s running.

Security company Intego reports the malware installation happens through SEO poisoning:

Intego has discovered a rogue anti-malware program called MACDefender, which attacks Macs via SEO poisoning attacks. When a user clicks on a link after performing a search on a search engine such as Google, this takes them to a web site whose page contains JavaScript that automatically downloads a file. In this case, the file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (Open “safe” files after downloading in Safari, for example), will open.

The Next Web offers some good tips to remove the fake MacDefender application from a Mac: fire up Activity Monitor and force quite the process, then delete the app from your /Applications folder. You’d also want to clean up your login items in the System Preferences > Account tab, and take a look inside /Library/StartupItems to remove related LaunchAgents and LaunchDaemons that might trigger MacDefender on login. Of course, applications like AppZapper and Hazel might be a good idea to find and delete all associated files when manually moving MacDefender to the trash. To prevent Safari from automatically opening “safe files” from the download queue in the future, make sure to uncheck the option in the browser’s settings.

Did you accidentally install MacDefender.app on your system or found it already installed? Let us know in the comments, or drop a line in one of Apple Support Communities’ threads.

Unlock More with Club MacStories

Founded in 2015, Club MacStories has delivered exclusive content every week for over six years.

In that time, members have enjoyed nearly 400 weekly and monthly newsletters packed with more of your favorite MacStories writing as well as Club-only podcasts, eBooks, discounts on apps, icons, and services. Join today, and you’ll get everything new that we publish every week, plus access to our entire archive of back issues and downloadable perks.

The Club expanded in 2021 with Club MacStories+ and Club Premier. Club MacStories+ members enjoy even more exclusive stories, a vibrant Discord community, a rotating roster of app discounts, and more. And, with Club Premier, you get everything we offer at every Club level plus an extended, ad-free version of our podcast AppStories that is delivered early each week in high-bitrate audio.

Choose the Club plan that’s right for you:

  • Club MacStories: Weekly and monthly newsletters via email and the web that are brimming with app collections, tips, automation workflows, longform writing, a Club-only podcast, periodic giveaways, and more;
  • Club MacStories+: Everything that Club MacStories offers, plus exclusive content like Federico’s Automation Academy and John’s Macintosh Desktop Experience, a powerful web app for searching and exploring over 6 years of content and creating custom RSS feeds of Club content, an active Discord community, and a rotating collection of discounts, and more;
  • Club Premier: Everything in from our other plans and AppStories+, an extended version of our flagship podcast that’s delivered early, ad-free, and in high-bitrate audio.