Security Experts:

Adware Installer Uses Old Trick to Access OS X Keychain

The developers of an adware installer are leveraging an old trick to access the Keychain on OS X devices, researchers have warned.

One month ago, researchers at Malwarebytes reported spotting a new installer that had leveraged a then zero-day local privilege escalation vulnerability in OS X to install Genieo and VSearch adware on computers without users having to enter the system password. The attackers also installed MacKeeper and directed victims to the Apple App Store page of a file downloader named Download Shuttle.

The vulnerability exploited to install the adware was patched by Apple on August 13 with the release of OS X Yosemite 10.10.5.

In a new blog post published this week, Malwarebytes reported seeing a new version of the previously analyzed installer. The new installer asks users to enter their admin password, after which it installs Genieo, VSearch and MacKeeper and redirects users to Download Shuttle.

While this might seem the end of it, the installer uses a clever trick to access the Safari Extensions List in the Keychain. It does this by locating the “Allow” button on a Keychain alert and simulating a click on it. The Keychain alert is visible for less than a second before the Allow button is automatically clicked so victims are unlikely to become suspicious.

The Mac OS X Keychain is a password management system that is used to store passwords and other sensitive information.

In this case, the goal is to give the installer access to the Safari Extensions List in the keychain in order to install a Genieo Safari extension called “Leperdvil.” However, experts warn that the adware could be adapted to access users’ iCloud passwords and other data from the keychain.

Genieo installers have been capable of installing shady Safari extensions for years, but Malwarebytes researchers believe this latest trick might be an attempt to bypass the new Safari extension handling mechanisms in the upcoming 10.11 El Capitan version of OS X.

Malwarebytes says it has spotted the malicious code in almost every app installed by the Genieo installer at least since early June.

A similar piece of adware was spotted by researchers at Webroot. Experts identified code designed to add an exception to the settings of ad blocker applications such as AdBlock Plus in order to ensure that the attackers’ ads would not get blocked.

CSO reported that this Keychain attack method was also disclosed by researchers at Beirut-based identity management company MyKi. The experts developed a proof-of-concept (PoC) exploit that can steal passwords from the Keychain and sends them to the attacker via SMS. They reported their findings to Apple, but they haven’t received any response.

However, it’s worth noting that this is not exactly a new attack method and it doesn’t involve an actual vulnerability. The technique, which has been known for several years, can only be leveraged by an application that obtains root privileges (either via a vulnerability, or by tricking the user into entering the system password).

A security expert using the online moniker “noar” pointed out on Twitter that the technique was used back in 2011 by DevilRobber, a piece of OS X malware designed for Bitcoin mining and data theft.

Once a piece of malware gains root access to a system, it’s not difficult for it to read Keychain passwords. In 2012, Finnish software developer Juuso Salonen released a PoC tool, named “keychaindump,” capable of reading the plaintext Keychain passwords of logged-in users. The keychaindump tool still works today, noar noted.

“There is a design compromise in Apple’s keychain implementation that sacrifices some security for a lot of usability,” Salonen wrote in a blog post when he released his tool. “As a result, the root user is able to read all keychain secrets of logged-in users, unless they take extra steps to protect themselves. I’m sure Apple is perfectly aware of the security implications, and made the bargain intentionally.”

Apple has not responded to SecurityWeek’s request for comment by the time of publication.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.