Apple’s MacOS generally has a strong defence against invading malwares even if it is not totally invincible. The operating system doesn’t allow unrecognized apps to be installed on the system, unless the user permits it. Even after installation each software runs in its own sandbox which limits the access they have to other segments of the drive. And these limitations have resulted in most macOS malware to be adware which do not damage the system but annoy the hell out of the user.
But now there is a new Flash Player installer malware, that has been found by Malwarebytes, which tricks an unknowing user into installing it. And this new variant can protect itself from software that removes malware automatically, like Malwarebytes. The most annoying part of being affected by this Crossrider adware is that the homepage on both Safari and Chrome are changed by it to a Crossrider-related domain and it cannot be changed back.
Here’s what Malwarebytes has to say about the malware in its blog:
After removing Advanced Mac Cleaner, and removing all the various components of Crossrider that have been littered around the system, there’s still a problem. Safari’s homepage setting is still locked to a Crossrider-related domain, and cannot be changed.
It turns out that this is caused by a configuration profile installed on the system by the adware. Configuration profiles provide a means for IT admins in businesses to control the behavior of their Macs. These profiles can configure a Mac to do many different things, some of which are not otherwise possible.
In the case of this Crossrider variant, the configuration profile that is installed forces both Safari and Chrome to always open to a page on chumsearch[dot]com. This also prevents the user from changing that behavior in the browser’s settings.
After one is affected and wants to remove it, the user may find it trick to find it in Profiles.
This profile installs with an identifier of com.myshopcoupon.www, which is not visible in System Preferences. However, the profile can definitely be identified by scrolling through the details and looking for references to chumsearch[dot]com.
Once the user has located the malware in the Profiles, they can remove it by clicking on it and removing it by clicking on the ‘-’ button.
Flash has had issues with its infrequent updates and previous history of being affected by malware. Due to these reasons many believe that it is finally time for it to go.