A little over two weeks have passed since the appearance of MAC Defender, the fake AV solution targeting Mac users. And seeing that the approach had considerable success, it can hardly come as a surprise that attackers chose to replicate it.
This time, the name of the rogue AV is Mac Protector, and according to McAfee, the downloaded Trojan contains two additional packages:
- macprotector.pkg (the application),
- macProtectorInstallerProgramPostflight.pkg (bash script that launches Mac Protector once it’s installed).
As with MAC Defender, the application requires root privileges to get installed, so the user is asked to enter the password.
“Mac Protector is very sophisticated and uses a lot of resources to appear as a real anti-virus app to the user. There are a lot of images and sounds in the package that simulate system scanning, show the alerts, etc,” says McAfee. “Mac Protector will perform a fake scan on the system, and will show rootkits and spyware detections for real and current processes.”
Copying MAC Defender again, Mac Protector tries to convince the user that his computer is infected by opening browser windows to sites with adult content. Once the fake scan is finished, the rogue AV says the user must register the app in order for it to be able to clean the system. To do that, the user is asked to fork over their credit card data.
Fortunately for those who fell for the trick, the removal of the offending app is quite simple: delete the MacProtector.App from the Application folder. In case the app doesn’t allow you to do that, use the Activity Monitor to kill the MacProtector process and then try to delete it again.