Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Adware Installer Uses Old Trick to Access OS X Keychain

The developers of an adware installer are leveraging an old trick to access the Keychain on OS X devices, researchers have warned.

The developers of an adware installer are leveraging an old trick to access the Keychain on OS X devices, researchers have warned.

One month ago, researchers at Malwarebytes reported spotting a new installer that had leveraged a then zero-day local privilege escalation vulnerability in OS X to install Genieo and VSearch adware on computers without users having to enter the system password. The attackers also installed MacKeeper and directed victims to the Apple App Store page of a file downloader named Download Shuttle.

The vulnerability exploited to install the adware was patched by Apple on August 13 with the release of OS X Yosemite 10.10.5.

In a new blog post published this week, Malwarebytes reported seeing a new version of the previously analyzed installer. The new installer asks users to enter their admin password, after which it installs Genieo, VSearch and MacKeeper and redirects users to Download Shuttle.

While this might seem the end of it, the installer uses a clever trick to access the Safari Extensions List in the Keychain. It does this by locating the “Allow” button on a Keychain alert and simulating a click on it. The Keychain alert is visible for less than a second before the Allow button is automatically clicked so victims are unlikely to become suspicious.

The Mac OS X Keychain is a password management system that is used to store passwords and other sensitive information.

In this case, the goal is to give the installer access to the Safari Extensions List in the keychain in order to install a Genieo Safari extension called “Leperdvil.” However, experts warn that the adware could be adapted to access users’ iCloud passwords and other data from the keychain.

Genieo installers have been capable of installing shady Safari extensions for years, but Malwarebytes researchers believe this latest trick might be an attempt to bypass the new Safari extension handling mechanisms in the upcoming 10.11 El Capitan version of OS X.

Malwarebytes says it has spotted the malicious code in almost every app installed by the Genieo installer at least since early June.

A similar piece of adware was spotted by researchers at Webroot. Experts identified code designed to add an exception to the settings of ad blocker applications such as AdBlock Plus in order to ensure that the attackers’ ads would not get blocked.

CSO reported that this Keychain attack method was also disclosed by researchers at Beirut-based identity management company MyKi. The experts developed a proof-of-concept (PoC) exploit that can steal passwords from the Keychain and sends them to the attacker via SMS. They reported their findings to Apple, but they haven’t received any response.

However, it’s worth noting that this is not exactly a new attack method and it doesn’t involve an actual vulnerability. The technique, which has been known for several years, can only be leveraged by an application that obtains root privileges (either via a vulnerability, or by tricking the user into entering the system password).

A security expert using the online moniker “noar” pointed out on Twitter that the technique was used back in 2011 by DevilRobber, a piece of OS X malware designed for Bitcoin mining and data theft.

Once a piece of malware gains root access to a system, it’s not difficult for it to read Keychain passwords. In 2012, Finnish software developer Juuso Salonen released a PoC tool, named “keychaindump,” capable of reading the plaintext Keychain passwords of logged-in users. The keychaindump tool still works today, noar noted.

“There is a design compromise in Apple’s keychain implementation that sacrifices some security for a lot of usability,” Salonen wrote in a blog post when he released his tool. “As a result, the root user is able to read all keychain secrets of logged-in users, unless they take extra steps to protect themselves. I’m sure Apple is perfectly aware of the security implications, and made the bargain intentionally.”

Apple has not responded to SecurityWeek’s request for comment by the time of publication.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...