Adware installer gives itself permission to access Mac users’ keychain
“Malwarebytes researcher Adam Thomas has made an interesting discovery: an adware installer created by Genieo, a well-known distributor of unwanted software, is taking advantage of an OS X feature to access information stored in the “Safari Extension List” in the users’ keychain.
The problem is the installer doesn’t allow the user to make the choice of whether they will allow it to access to the keychain. Instead, it “hijacks” the users’ mouse cursor and clicks on the “Allow” button – and it does it so quickly (in mere seconds) that the users might not even notice it.
The installer does this so it could install a Safari extension named Leperdvil, which is used to distribute additional potentially unwanted software and change certain Safari settings.
“This seems like an unnecessary hack, considering that Genieo installers have been installing Safari extensions for years. Perhaps its an attempt to get around changes to handling of Safari extensions in the upcoming El Capitan (OS X 10.11),” Malwarebytes’ Thomas Reed posits.
“More concerning, though, is the question of whats to stop this adware from accessing other confidential keychain information like, say, passwords? With a few minor changes, the adware could get access to other things from the keychain, like the user’s iCloud password.”
And what stops malware peddlers from using this same approach? “I’m surprised nobody thought of that before,” Reed commented for Ars Technica.
The vulnerability – or rather, the feature – has likely been introduced by Apple in order to help visually or physically impaired users use the computer. But with this approach having been made public, it’s more than likely that Apple will have to come up with a solution to the problem.
This particular installer has been spotted over a month ago exploiting a privilege escalation bug (DYLD_PRINT_TO_FILE vulnerability) that allows it to gain root access machines running OS X 10.10, and has since been squashed by the company.
UPDATE: The feature / vulnerability misused by the installer was initially discovered by Antoine Vincent Jebara and Raja Rahbani, the CTO and lead engineer (respectively) of identity management company MyKi.
Apple has been notified of it, but they have yet to release a patch.”