This week Mac owners got a taste of what it is like to own a Windows notebook thanks to the drive by attack of a fake MacDefender app, a Mac OS X antivirus tool that attempts to automatically install itself when users visit an infected webpage. The fake antivirus program appears to be after your money, not your data, but it still represents a security risk that hasn’t been too prevalent on MacBooks and other Mac computers.
Keep in mind that there is a legit application called MacDefender, but it won’t try to install itself on your computer in this manner.
What is MacDefender?
The MacDefender app attempts to install when a user visit a compromised webpage through a search result. The installation is aided by a Safari setting which can automatically open trusted software. The malware meets this criteria by arriving in a .zip file.
Users will still be prompted for their Mac OS X password before installing MacDefender, but just like many windows users will click OK to proceed after an elevated UAC popup, Mac users can be tricked into entering their password.
The MacDefender malware is one of the first pieces of malware seen by Mac A/V firm Intego, which specifically targets Mac users. This is a common practice employed by Windows malware creators, and after installed, the experience is almost the same.
If the application is installed, MacDefender will launch at Startup and continue to pester users and inform them that their Mac has a virus. As Intego notes, the MacDefender application looks, “very well designed, and looks professional” as you can see in the screenshot below.
MacDefender will continue to tell users that their Mac is infected until the user compromises and purchases protection in the form of a $60, $70 or $80 subscription to a fake antivirus subscription. After paying, the alerts will stop, but the problem that still exists is the fact that payments have been made to an unknown malicious party over an unsecure webpage.
How to Prevent MacDefender from Infecting your Mac
The best protection is to turn off the Safari option to automatically open safe files (Safari -> Preferences).
Next is to never install an application when you aren’t expecting to install one. This is the same trick played on Windows users time and time again. MacDefender is also preying on the idea that Macs are safe from viruses and malware. If I have learned one thing from fixing computers over the years, it’s that users can be tricked into clicking yes or providing their password pretty easily.
How to Remove MacDefender from Your Mac
The Next Web has detailed how to remove the fake MacDefender App, which appears to be much easier than the Windows variants that can typically have five steps in the how to get ready to fix yoru computer instructions.
- To ensure you do not automatically download the app, uncheck the following: Safari > Preferences > General > uncheck “Open ‘safe’ files after downloading.”
- Searching for the application and deleting it directly may fail, saying the app is in use. To stop it running, check Activity Monitor (in Applications > Utilities) and disable anything that relates to MacDefender.
- Look in /Library/StartupItems and, same place, LaunchAgents and LaunchDaemons for references to the malware app.
- Once quit, head to the Applications folder and drag the MacDefender app to the trash, then delete trash.
- To ensure all references to the app are cleared, run a search using Spotlight and delete all MacDefender references you find.