Security Experts:

Connect with us

Hi, what are you looking for?



Mac Malware Injects Ads Into Encrypted Traffic

A newly discovered piece of malware targeting macOS devices is capable of injecting ads into encrypted web traffic, Malwarebytes security researchers warn.

A newly discovered piece of malware targeting macOS devices is capable of injecting ads into encrypted web traffic, Malwarebytes security researchers warn.

Detected as OSX.SearchAwesome, the malware is delivered through a malicious installer that arrives as a cracked app downloaded via a torrent file. The threat’s installer is a disk image file that lacks the usual decorations used to make it look legitimate.

When launched, the image file installs the components invisibly and then requests the user to authorize changes to Certificate Trust Settings and to allow a component called spi to modify the network configuration.

Similar to other adware programs out there, the spinstall app installs an application and launch agents, one of which is designed to execute the spi application. However, it doesn’t keep the app running constantly, meaning that the user can force it to quit, although the app opens again on the next login.

Another agent is designed to monitor for removal, and also to remove the other component of the malware if that happens.

SearchAwesome also installs the open-source program mitmproxy, which was designed to intercept, inspect, modify, and replay web traffic. It abuses the application to target both unencrypted and encrypted traffic in a man-in-the-middle (MitM) attack.

Armed with the ability to modify Certificate Trust Settings and using the mitmproxy certificate that is now trusted by the system, the malware gains access to HTTPS traffic, which is normally encrypted between the browser and the website, thus protected from prying eyes.

The threat injects JavaScript into every web page the victim visits. The script is loaded from a malicious website.

If is deleted, the uninstall agent runs a script to disable a proxy the adware set up initially, fetches information from the program’s preferences and sends it to a web server, and removes the preferences and the launch agents.

The script also causes an authentication request to appear four times, Malwarebytes reveals. Furthermore, the uninstaller leaves behind the mitmproxy software, and the certificate the app uses to access encrypted web traffic.

The adware seems innocuous at the moment, as it only injects a script to display ads but, given that the script is actually being loaded from an external server, the content could change at any time and phishing pages or malware could be served instead.

“The injected script could be used to do anything, from mining cryptocurrency to capturing browsing data to keylogging and more. Worse, the malware itself could invisibly capture data through the MitM attack, without relying on JavaScript or modifying the web page content,” Malwarebytes points out.

Even if the malware uninstalls itself, the potential for damage is not over, given that it leaves behind the tools it uses to execute the MitM attack. This means that another piece of malware could leverage the tools for their own nefarious purposes.

Related: Trend Micro Admits That Its Mac Apps Collect User Data

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.