Mac fake anti-virus attack adopts new disguise

Filed Under: Apple, Malware

Mac Security fake anti-virusNew versions of the latest malware to hit Mac OS X users have come to light, following the discovery earlier this week of fake anti-virus attacks being spread by SEO poisoning.

Fake anti-virus (also known as scareware or rogueware) is commonly seen on Windows computers, of course, but until now has been rarely encountered on the Apple Mac platform.

The new variants, seen by SophosLabs, are calling themselves "Mac Security" rather than their previous disguise of pretending to be "MacDefender" (which, incidentally, is the name of a genuine security product for the Mac - adding to the confusion).

Mac Security fake anti-virus. Click for a larger version

When I ran the fake anti-virus on a test machine it claimed that a number of innocent files, including Mozilla Firefox, were infected by viruses and told me I would have to register the program in order to cleanup the "infections".

The fake anti-virus tells you that you need to pay money to get a version which cleans-up malware. Click for a larger version

It's precisely these kinds of scare tactics which are regularly used by Windows-based fake anti-virus attacks to hoodwink innocent users into handing over their credit card details. Clearly whoever is responsible for this latest spate of attacks believes that there are rich pickings to be made from Mac users too.

Sophos detects the latest variants as OSX/FakeAV-DOE, and as we continue to encounter more waves of this attack we will enhance our detection to protect Mac users.

If you're not a Sophos customer, but have a Mac at home, you can protect your Mac right now if you download our free anti-virus. It's automatically updated to protect against the latest threats.

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

Oh, and did I mention that our free Mac anti-virus product recently won a rather prestigious award? ;-)

, , , , , , ,

You might like

11 Responses to Mac fake anti-virus attack adopts new disguise

  1. I have Kaspersky AV running on my Mac. I think the myth is that because we're Mac users we don't take internet "security seriously". My guess is a pop up like the one described would most likely be ignored by most Mac users simply because of their knowledge of the unlikely chance their computer would actually be infected.

  2. I still think its a bit wrong not to be offering a similar anti-virus package for Linux and Windows. For home users only of course, especially as Sophos' main market appears to be corporate usage anyway. It seems very one sided to be willing to help protect one type of user and not another.
    Sophos should at least be charging Apple for having such a anti-virus freely available to their customers.

    I know alot of response is going to be that there are less vulnerabilities on MAC and less infections but that is also true of Linux. Although windows is more prone to Virus' surely the world will never be safe unless everyone is protected.

    With Apples growing popularity its only a matter of time before someone finds a way to cause some real damage or major vulnerability.

    One thing I do think is probably a potential concern for the future is probably that most Windows users have an AV, and alot of Linux users all have one just to be extra safe. Then you seem to have the apple fanbois who seem to think they are above it all and don't install anything. So the question is when someone finally finds a way to quietly infect Macs with a zombie, trojan or some other non intrusive package. Will anyone notice, it could spread through the Mac community undetected there could one day be tons of infected Macs with the users un-aware. This also then begs the question of how accurate is virus reporting data if most Macs don't have AV then you don't know the extent of an infection. Protected machines are easy to report on, unprotected ones are able to hide.

    I predict something like Conficker for Mac.

    Its not mentioned in the article how this infection is contracted. Does it prompt for installation or is it capable of drive by infection?

    • See as linked at the top of the article.

      The "infection" method is almost laughable -- it would cause a guffaw from most long-time Mac users.

      What happens is you click on an SEO poisoned link in Google, and it pops up an extra window that looks like a Windows AV scan window, which proceeds to "detect" a bunch of exes on your c:\ drive. Then it tells you your computer is infected and you should download their scanner and install it to repair the problems.

      I'm sure it's only a matter of time though before they update their landing page with a Mac-oriented javascript for MacOS web browsers.

      • This is only just the start.
        Post XP SP2 windows security is pretty much on par with Apple, the difference is that malware and scareware is financially driven and Microsoft (Until recently) has had a significant lead. As more and more people adopt Linux and Apple the more attacks we will start to see in the wild. These people have invested, time, money and training on the tools and vulnerabilities for Windows.

        I have had several calls over the last few weeks with both infected Windows and Apple computers (This actually includes an Ipad aswel) and the users are always falling for the social engineering, or furthermore, don't even read the "Do you want to install?" and just click Ok until it goes away. You cannot claim an OS is safe based on advanced users not getting infected. Personally I can't remember the last time I got an infection (by accident anyway)

        The same problems apply across the entire web with most users will click infected social network links because they were sent from a friends account and then will just automatically accept any popups or messages automatically.

  3. John B. · 1578 days ago

    This type of post is also a root to the spread of these threats. Everyone should have virus protection, and downloading something from the internet because it claims to be protection is not wise in any case.

  4. Joe · 1578 days ago

    Looks like it prompts for installation, seeing as how he had to execute the program manually to get it on the screen.

    - "When I ran the fake anti-virus on a test machine"

  5. PC users are susceptible to the same manual install interaction that Mac users face, at least if they are running Windows Vista or 7, you still need to give it elevated permissions to install a virus. But just like UAC for Windows, the Mac install feature is not 100% foolproof and with most Mac users oblivious to threats, may not think twice about letting this "fake AV" install.

  6. Ryan · 1577 days ago

    I just had this happen; "Mac protection" claimed that it detected viruses, so i got worried and checked it out. It kept scanning and claiming more and more viruses, and when looking at the actual program it seemed legit. I became suspicious because every minute or so it told me I needed to pay them to register. I got curious, looked it up, and stumbled upon this site. Other security blogs/sites are correct in saying that the program will spontaneously redirect to pornography sites to make it seem like a virus is present. The program looks exactly the same as Mr. Cluley's screenshots, just a different name.

  7. Cam · 1574 days ago

    I had this happen on my wife's computer. I backed everything up via Time Machine. Now, how do I get this thing off my computer?

  8. ashton · 1571 days ago

    what do I do if this has happened to my Macbook?

  9. JimmyO · 1566 days ago

    I may have been fooled, but it sure felt like an attack today. It kept wanting to open, which would I guess phish for my credit card. Virus Barrier wouldn't let me open it. Thanks, Virus Barrier! Virus Barrier did object to several trojans that hit all at once, but it seems to have cleaned them up. When I came to my senses I turned Airport off and am now running a scan.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley