Safari Malware – A Closer Look at Malicious Software that Preys on Apple’s Mac OS-X and iOS

Finjan TeamBlog, Cybersecurity

Finjan Safari Malware – A Closer Look at Malicious Software that Preys on Apples Mac OS X and iOS

Apple’s Mac OS-X and iOS operating systems have traditionally been highly resistant to malware, leaving bad actors to concentrate their efforts on infecting individual components of a desktop, such as the Safari web browser.

For years, the prevailing wisdom has been that Apple hardware or software simply can’t be infected by viruses or other malicious software – a view that the company hasn’t done too much to dispel. But malware can and does infiltrate Apple-based systems.

Some years ago, for example, the Flashback malware exploited a security flaw in Java implementations on OS-X. And the KitM.A backdoor application on OS X enabled attackers to take screenshots of user’s desktops.

But – as in Windows, Android, and other operating environments – software that’s universally used and internet-connected presents hackers and malware developers with the easiest opportunity to prey on the Apple ecosystem. And the flagship web browser Safari is one of their principal targets.

Custom-tailored Safari Malware

As we’ve already observed, Mac OS-X and iOS are robust operating systems, with security and safety mechanisms built-in. For example, users of OS-X don’t have root privileges over their machines and have to enter a password in order to reconfigure the system. Only files that are digitally signed by Apple may be installed – and there’s a “gatekeeper” sub-system to ensure that this condition is enforced.

Perpetrators wishing to attack an Apple-based system are therefore likely to have better luck targeting the third-party software applications that run on it. And there’s evidence that this need not be a difficult task. According to Bogdan Botezatu, Senior E-Threat Analyst for Bitdefender, “Mac OS X software has more high-risk vulnerabilities than all versions of Windows put together.”

Malware has been and is being custom-made to target specific applications – and the Safari web browser is one of them. These include unique payloads such as the fake FBI locker hoax that was discovered in 2013. As with other variations on this theme, a message displayed in your browser window claims that your browser has been locked for alleged illicit activity, with a specified fine/ransom demanded to unlock it. On Apple systems, this malware package would zero in solely on Safari, while the same malicious software on a Windows system could affect the entire computer.

Safari Malware – Malicious Browser Extensions

Operating under the guise of additional tools meant to enhance your online experience, malicious browser extensions are another vector that’s used for attacks on Safari. In order to provide this functionality, these apps require access to the browser core, and to external websites that provide them with information and resources.

These small programs are often installed by choice, based on recommendations or searches for specific features that aren’t provided by the core browser engine. But they can also find their way onto the Safari ecosystem without the user’s knowledge, through insertion by malicious advertising (“malvertising“) panels, or from visits to malicious websites.

Safari Malware – Software Wrapping Infections

Adware – malicious software that bombards a system with annoying or even crippling volumes of advertising – is a major ingredient in a class of cross-browser infections that can affect not only Safari, but other installations such as Chrome or Firefox. The medium for transmission is often a software wrapping technique, which bundles the malware payload with an otherwise legitimate download or installation package. This frequently occurs with freeware, but can equally take place with setup programs for proprietary software.

Examples include the RocketTab adware bundled with BrowserSafeguard, and the popup virus.

Safari Toolbar and Related Infections

Browser toolbars are another attack vector that Safari has become vulnerable to. These applications typically offer enhanced search engines, real-time updates (for weather, news, etc.), and other features. They also have a tendency to redirect web traffic to their own Command and Control servers, alter default browser settings, and perform other unwanted activities in the background.

As with the cross-browser infections, toolbars are often slipped onto an unwary user’s system via the installation process for another piece of software. And the toolbar installation may be referenced in the End User License Agreement (EULA) or Terms and Conditions of the setup program (which no-one bothers reading, anyway), and / or sign-posted by a pre-checked check box during the install.

Safari Malware – Is There a Reluctance to Admit the Truth?

It’s felt in some quarters that Apple’s reputation for security has bred a sense of complacency, on the part of the company and its user base. Symptomatic of this are a slow response to vulnerabilities that actually come to light. For example, the Rootpipe exploit was discovered in October 2014, but a first fix wasn’t issued until April 2015 – and the patch only applied to versions of OS-X from Yosemite and above.

Worse, there’s been a characteristic reluctance on Apple’s part to admit to the possibility that malware vulnerabilities on their platforms even exist. Software has typically been marketed as virus-free, and the option for users to run antivirus software for additional protection barely gets a mention. As a result, most Apple users aren’t using third-party security software.

Avoiding the Traps

Rogue apps and desktop applications are unlikely to gain access to your system if you don’t give them an avenue to enter it. Whenever possible, only download or install software from the App Store or from reputable vendors. And it’s a good idea to actually read the accompanying license and conditions documents, to check for any references to bundled software or toolbars.

With extensions and add-on tools providing a channel for much of the malware that can affect the Safari browser, knowing which tools are actually running is half the battle. The Preferences menu of Safari will give access to the Extensions tab, where any installed extensions will be listed. It’s a good idea to check this periodically, to make sure that what’s actually there is what you opted to install. Its General tab will also provide information on whether your home page has been altered.

Be on guard against phishing and social engineering tactics, which remain a popular technique for malware distributors to grab your attention, then make you careless. Also look out for pop-up windows and advertising. Any or all of these could be doorways for malware to get through to your browser.

For users of Safari and other browsers, installing an anti-malware program from a reputable manufacturer – and keeping it up to date, properly configured, and running real-time protection – is always advisable.

Taking Steps to Remedy the Situation

If the worst happens and malware infects your Safari installation, there are a number of things you can do.

Some malware strains will attempt to keep your browser perpetually running – often in the background – so that they can work their magic. There’s a Force Quit option on Apple systems that will enable you to specify Safari, and terminate it

The Activity Monitor (which can be called up from Launchpad) provides a real-time overview of what’s running on your system, with options to terminate (Force Quit) any processes that look suspicious.

The Extensions tab in Safari Preferences will allow you to disable any installed browser extensions. You can do this systematically, to identify any rogue element that’s causing problems, or perform a blanket disable for safety. There’s also a Disable Extensions option in Safari’s Develop menu.

If all else fails, you may need to Reset Safari – in which case, any personalized data or settings that you’ve been using will be wiped out.

Visit some sites and do some test browsing, to make sure that things are back to normal.

Finally, using that third-party security software that you should have installed, perform a thorough scan of your Safari browser and system, to check for any remaining traces of malware.

Share this Post

Finjan Safari Malware – A Closer Look at Malicious Software that Preys on Apples Mac OS X and iOS
Article Name
Safari Malware | Malicious Software that Preys on Apple's Mac OS-X, iOS
Despite the idea that Mac OS-X and iOS are naturally virus-free, malware can and does infect Apple's systems - often using the medium of Safari web browser.
Publisher Name
Publisher Logo