Thomas Reed, of Malwarebytes Labs, has recently announced detection of new malware which runs on OS X, including El Capitan with Gatekeeper turned on. Although currently its behaviour doesn’t appear particularly malicious, at the very least it is unwanted software, and has the potential to do nastier things.
Mac File Opener, or OSX.FakeFileOpener as Reed has named it, behaves in an unusual way which could easily trap those who are normally cautious. It is normally downloaded as an Installer package (.pkg), and does not manifest itself as a regular app. Instead, it tucks itself away, but claims to OS X that it can open more than 200 different file types – a powerful document handler.
When you next double-click or otherwise try to open a file type for which you do not have a default app defined, it takes advantage of the standard mechanism in OS X to offer to search the web for a suitable app. That search is then hijacked to take you to a Mac File Opener page which offers a free download, or may even claim that your Mac is infected and offer download of ‘free scan’ apps, which turn out to be junkware such as Mac Adware Remover or Mac Space Reviver.
Further details are in Reed’s original article.
This malware has already been analysed by Patrick Wardle of Objective-See, who reports that – at least prior to the latest Gatekeeper data updater of today – this malware is correctly signed and will not be flagged by his utilities Whats Your Sign or by KnockKnock. His analysis is in this excellent article, and explains how FakeFileOpener gets under several different types of protection.
For the moment, a high index of suspicion would be wise, whilst protection against this is improved. In the meantime, the latest version of Malwarebytes Anti-Malware for Mac should detect this malware.