New security threats: MacKeeper exploit and more to come?

There are two fresh reports of OS X malware which you should be aware of.


The immediate concern is that there is a report of a phishing attack launched against MacKeeper, here.

If you have MacKeeper installed (which I would advise you not to, in any case), then it is vulnerable to being hijacked. The code which it uses to handle URLs has a known vulnerability, and this exploits that. What happens is that the user receives a phishing email containing a link. If you click on that link, and MacKeeper is running, then you will see an alert offering to remove alleged malware. If you agree to this, then you will be prompted to enter your password into a standard authentication dialog. It will then download the Trojan, which downloads additional software to turn your Mac into a ‘bot’ within its botnet – your Mac is then ‘owned’.

The simple prevention message is:

  • Don’t use MacKeeper; if you have installed it, remove it completely and as quickly as possible.
  • Don’t open such suspicious messages.
  • Don’t click on such suspicious links in such messages.
  • Don’t agree to such invitations to remove malware.
  • Never enter your password unless you are absolutely certain that this is correct, safe, and secure.

Patrick Wardle of Objective-See points out that BlockBlock does stop this attack; however there is no need for anyone to come remotely close to being at risk from it.

Unauthorised Cross-App Resource Access (XARA)

A few sites have been carrying a recent story of a vulnerability in the sandboxing of apps in OS X, which claims that it is possible for one app to access information such as keychain passwords of another. This is summarised here.

At present, this is a vulnerability, and it is not being exploited. Exploitation would require the malware app to be accepted for distribution by the App Store, for you to install that app, and a fairly specific sequence of events to happen from there.

Whilst it is always possible for a malicious app to sneak its way through the App Store approval process, Apple is taking very great care to prevent that from happening. If it were to happen, then Apple and a huge number of users would have a very big problem.

So for the moment this appears to be a vulnerability which Apple needs to address – and may well do so in OS X 10.11 El Capitan if not before – but there is nothing that you can do to protect yourself, nor could you do so unless you were to stop installing all updates or new apps.

I hope that puts your mind at rest.