My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Adware for OS X distributes Trojans

June 22, 2015

Lately, reports about distribution of new malicious and potentially dangerous programs for OS X have been emerging with great frequency. Doctor Web security researches have registered a growing number of various adware and installers for Apple computers, which is related, to a large extent, to appearance of new affiliate programs aimed at OS X users. It is one of such programs that has been used by cybercriminals to spread Trojans of the Trojan.Crossrider family.

An installer of unwanted applications that has been added to Dr.Web virus database as Adware.Mac.MacInst.1 is created using resources of an affiliate program called “”. Websites of numerous “partners” taking part in this program are usually packed with different advertising modules, and visiting such webpages leads to multiple tabs being open in the browser window. The installer itself is disguised as a “useful” application or an MP3 file. In some cases, the installer is downloaded automatically while the user is redirected to a specific webpage.

The image of Adware.Mac.MacInst.1 has a rather remarkable structure; that is, it contains two hidden folders that cannot be viewed on the computer running with standard operating system settings if the user decides to browse the contents of the DMG file using Finder.

The directory with the application contains a binary file that launches the installer and another folder with the logo of the application and the encrypted configuration file. Once the installer is run, it demonstrates a dialogue window with the information on the file the user wanted to download.


After the “Next” button is clicked, the malware displays a partnership agreement informing the user that in addition to the file itself some other components will be installed.


If the user clicks the hardly visible “Decline” link at the bottom of the window, only the initially chosen file will be downloaded. However, if the “Next” button is clicked, together with the file, the program detected by Dr.Web as Trojan.Vindinstaller.3 will be downloaded and run.

This application, in turn, installs malicious plugins for Safari, Firefox, and Chrome. These extensions are detected as Trojans belonging to the Trojan.Crossrider family. Adware.Mac.MacInst.1 copies all downloaded components into the “~/Library/Application Support/osxDownloader” folder.




Signatures of these malicious programs have been added to Dr.Web virus databases for OS X. Therefore, they pose no threat to our users.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments