fake_Safari_update

Fake Safari update installs MacKeeper, ZipCloud

Last week, we discovered a new version of the InstallCore installer that displays an unpleasant new trick: it pretends to be a Safari update!

This new installer was obtained while visiting one of the “First Row Sports” scam sports streaming sites.

When I attempted to view one of the supposed streams, it redirected me to a page that claimed that Safari was outdated. (I was using OS X 10.9.5, so this actually was true.)

fake_Safari_update

Clicking the Update Now button downloaded a disk image file named “Apple Safari Setup.dmg”.

The installer on that disk image did not look like an Apple installer at all, but nonetheless, I opened it anyway. I was greeted with the familiar InstallCore installer interface, except that the first page of the installer read “Welcome to Safari.”

fake_Safari_update2

Continuing with the installation resulted in being asked to accept the “Search-Assist” extension for Safari, with a big Yahoo! logo at the top of the window.

Next was acceptance of the installation of MacKeeper, though the text was relatively small and uniform, and the familiar MacKeeper logo was nowhere to be seen.

Finally, I had to accept the installation of ZipCloud.

I chose to accept all of these, of course.

As a result, both MacKeeper and ZipCloud were installed and opened automatically.

Interestingly, the typical InstallCore Safari extension was for some reason not installed. The usual Set Search Settings extension for Firefox, which I have observed multiple times with InstallCore, was also incorrectly installed, as always.

Although no browser extensions were successfully installed, both Chrome and Firefox had their preferences modified. Both browsers had their home pages and search engines set to a Yahoo “Search BOSS” page, which is how Yahoo is tricked into paying the scammers for promoting it.

Most interestingly, however was the fact that this app also installed a newer version of Safari and a number of Safari’s support files!

This, of course, had the effect of completely breaking Safari on my 10.9.5 system, as the newer version (8.0.6) cannot run on that version of OS X.

I was immediately suspicious that malicious changes might have been made to this copy of Safari, but I have not found any evidence of that. Nonetheless, even if I were able to run this copy of Safari, I would not choose to do so.

Victims of this malicious installer should immediately remove both MacKeeper and ZipCloud, of course, but should also reinstall OS X. This will overwrite Safari and its support files with fresh copies.

It should not be necessary to erase your hard drive, simply reinstall on top of your existing system. Although this should not affect your data, it would nonetheless be wise to back up your computer before starting this process, just in case something goes wrong.

ABOUT THE AUTHOR

Thomas Reed

Director of Mac & Mobile

Had a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.