Macs are not immune to malware, but they are pretty well-protected. By default, macOS won’t allow unrecognized apps to be installed, and it needs the user to agree to override this. Even when they are installed, sandboxing limits the damage that can be done, which is why most Mac malware is actually adware – annoying but not damaging.
A common way for attackers to get malware onto a Mac is to disguise it as something else, to trick technically naive users into installing it. Fake installers for Adobe Flash Player are particularly favored, and Malwarebytes has found a variant that’s nastier than usual …
Usually, software like Malwarebytes can search for and remove malware automatically. But a new version of Crossrider adware has a new trick to protect itself from removal, as the company’s blog explains.
The malware changes the homepage in both Safari and Chrome, and doesn’t allow you to change it back again.
After removing Advanced Mac Cleaner, and removing all the various components of Crossrider that have been littered around the system, there’s still a problem. Safari’s homepage setting is still locked to a Crossrider-related domain, and cannot be changed.
It turns out that this is caused by a configuration profile installed on the system by the adware. Configuration profiles provide a means for IT admins in businesses to control the behavior of their Macs. These profiles can configure a Mac to do many different things, some of which are not otherwise possible.
In the case of this Crossrider variant, the configuration profile that is installed forces both Safari and Chrome to always open to a page on chumsearch[dot]com. This also prevents the user from changing that behavior in the browser’s settings.
Even tracking it down in Profiles is tricky.
This profile installs with an identifier of com.myshopcoupon.www, which is not visible in System Preferences. However, the profile can definitely be identified by scrolling through the details and looking for references to chumsearch[dot]com.
Once you’ve found it, you can then delete it by clicking in the profile (in this case showing up as AdminPrefs) and then clicking the minus button below to remove it. Once this is done, you’ll be able to restart and change your homepage.
Some would argue that the real thing is bordering on malware given the frequency of security issues found in Flash. Safari even disables it by default. Very few websites these days require the platform, and I argued last year that it is time for Flash to die.
Check out the blog for more details.