Sophos Labs has discovered a new software installer for macOS that installs multiple unwanted applications or “bundleware” on users’ systems under the guide of installing one legitimate application.
The installer, which is primarily targeting macOS Catalina users, includes a total of seven “potentially unwanted applications” (PUAs) including three that target Apple’s Safari web browser to inject ads, hijack download links and redirect search queries with the aim of stealing users’ clicks to generate income. In at least one case, the injected content was used for malvertising by showing a malicious ad that prompted users to download a fake Adobe Flash update.
Sophos has identified the installer as belonging to the Bundlore family. Bundlore is a common macOS bundleware installer family that accounts for nearly seven percent of all attacks detected by the security company targeting Apple’s operating system.
Bundlore is also used to target Windows users through extensions for Google Chrome and some of the code used to target Chrome is shared with the versions of the adware that target macOS.
The recent macOS samples discovered by Sophos stand out from previous versions of Bundlore due to the fact that they have been updated to keep up with recent changes in macOS and Safari, particularly Apple’s changes to the format for Safari browser extensions.
The Bundlore sample analyzed contained multiple Safari extension payloads including two in the new App Extension format. However, these extensions were adware that contained code which injected new advertisements and download links and even redirected search queries from certain search engines. Based on code taken from a remote server that supports two extensions, Sophos discovered dozens of search affiliate names related to the ad injector and search modification payload as well as affiliate codes used to profit from visits to other sites.
PUAs are among the most common security threats to macOS because they can steal personal data and act as a pathway for both malvertising and other malware. Thankfully though, endpoint protection software is able to block PUAs and Apple’s XProtect feature in macOS can block known Bundlore payloads.
Sophos’ Sean Gallagher and Xinran Wu provided further insight on the security company’s findings in a blog post, saying:
“Based on these and other samples we’ve observed, it’s clear that adware developers are clearly embracing the transition to Safari App Extension format and are updating their payload scripts. Browser extensions are increasingly popular as applications move to the cloud, and web browsers become the most heavily-used component of operating systems. So they will correspondingly continue to be a target for scams such as adware.”