Reports are circulating that a fake installer for Mac OS has surfaced, proving that Mac OS is still fair game when it comes to web threats.
Our friends from Dr. Web have uncovered a fake installer for Mac OS X. Detected as OSX_ARCHSMS.A, users may encounter this threat by downloading from websites peddling supposed legitimate software. Once installed, it shows an image that looks like an installation wizard window.
The curious aspect of this threat is that OSX_ARCHSMS.A asks users for their cellphone number and for the verification code to be sent via SMS. When done, users are prompted to agree with the terms and conditions of the program, which include being charged regularly via their mobile phone account. Needless to say, no program is installed and users end up being charged for a fake (and non-existent) program.
If this ruse, in particular the charging of a user’s mobile account, looks familiar, you may have read about malicious Android apps known as premium service abusers. Usually disguised as legitimate apps, they are known to register users to premium services, send SMS and calls without their consent or knowledge, therefore incurring unnecessary charges for users. Some notable cases of premium service abusers include malicious versions of Bad Piggies and Adobe Flash Player for Android.
But this fake installer is first on two different fronts: the first premium service abuser affecting Mac users and the first premium service abuse done under the guise of a fake installer. This is an interesting mix of technique, which only proves that cybercriminals can be a crafty lot – especially if they want money from users.
This fake installer is certainly not the first threat that hounded Mac OS. Just early this year, the Flashback made headlines, not only because it targeted the said platform, but because of its scope and impact to users. We also previously found other, noteworthy threats that Mac users should be aware of.
To stay protected, users must refrain from downloading files, programs from unverified sources and websites. Mac or no Mac, users must be cautious with their activities online. Users may think that they are saving money by downloading these “free” or discounted installers online – but they end up paying for more.
With additional analysis from Threat response engineer Mark Manahan
Update as of December 17, 2:10 PM PST
Windows-based systems are also infected by this threat, which Trend Micro detects as TROJ_ARCHSMS.VK. Similar to OSX_ARCHSMS.A, it also shows a window informing users to send an SMS to a premium-rate number to install the supposedly VK Player. As such, users are charged via their mobile phone accounts.