Virgo adware is discovered that gives permission to Keychain instantaneously to Mac users unrecognizable

Mac OS password management system "Keychain"Has a function to display the pop-up window to confirm the user whether to grant permission to access the Keychain list before installing the software. However, malware was found to exploit this popup without permission without permission and at a speed of explosion that the user can not recognize.

Genieo installer tricks keychain | Malwarebytes Unpacked
https://blog.malwarebytes.org/mac/2015/08/genieo-installer-tricks-keychain/

There is an infamous extension "Genieo" to change Safari's start page without notice to Mac users, change the default search engine, display targeted advertisements, and send form information to the outside. In many cases, this malware Genieo is quietly put in a software installation package, and users often install Genieo unintentionally when installing another software.

The fact that Genieo has evolved and acquired the function of giving the user permission to Keychain without permission by the security countermeasure companyMalwarebytesIt is reported by. According to Malwarebytes, the new Genieo prompts for permission to access the keychain when installing the software, and clicks "Allow" at a speed that can not be seen, and what happened to the user I will give Keychain's permission before I know.

actuallyDownload ShuttleYou can check how Genieo got in the software installer package gets the access permission to Keychain with the explosion speed in the following 3-second movie.

DownloadShuttle installer - YouTube


While installing Download Shuttle ......


Prompt to confirm whether permission to access Keychain suddenly pop up is given.


Simultaneously with popup display, mouse cursor moves to "Allow" and clicks.


Before I knew what happened, I got permission to access Keychain.


By analyzing Malwarebytes, it is confirmed that this installer contains code for clicking on the permission button without permission.


According to Malwarebytes, Genieo, which has already succeeded in installing extensions to users' Safari for many years without any permission, the function of acquiring the access permission of Keychain discovered this time is a seemingly unnecessary hacking function It seems like it is. However, the next OS "OS X 10.11 El CapitanIn anticipation that Safari's extension handling will be changed, Malwarebytes thinks it is a version upgrade to avoid that change.

In addition, Malwarebytes says that it would be possible to steal information such as iCloud's password from the keychain by just modifying the function of acquiring Genieo's Keychain permission just a little.