'Apple Security Center' malware targeting OS X users

A new Trojan horse that uses the name "Apple Security Center" is trying to get Mac users to install malware on their systems.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
4 min read

If you ever see a message or window in Safari or your e-mail client about your system's security being compromised, ignore it! Malware developers and scammers are increasingly focusing on OS X and working to trick Mac users with highly developed Trojan horse attempts, using both software and ominous-looking messages generated in Web browsers and e-mail clients. Recently some rather sophisticated Trojan horse scam software called MacDefender was discovered for OS X, and a similar attempt has surfaced with a Web-based malware-detection facade that tries to get you to download and install malware on your system.

'Apple Security Center' malware running
The 'Apple Security Center' malware appears to be a legitimate scanner, but runs in a Web browser (click for larger view). njmeny / Apple Support Communities

In a growing thread on the Apple Support Communities forum, commenters are describing the new attack attempt, in which an individual or small group (judging by IP addresses) is releasing Mac-focused malware to OS X users via e-mail and Web links. The malware is made available for download through a Web page that is entitled "Apple security center" and appears to be running a virus scan on the system. It will start listing files that are not on your system as the fake scan completes itself, and will display some statistics about the number of threats found.

This may be a concern to people, but rest assured these are just scams to try to coerce you into installing malware and are nothing new. If you ever see a malware scanner suddenly pop up on your screen, here are some things to consider before giving it any credibility:

  1. Did you install it?
    While there are a number of security-based components to OS X, so far Apple has not developed and installed a full malware scanner with a user interface. The only option Apple provides is a feature called XProtect, which is a rudimentary malware scanner that will issue a warning when you try to open a file it suspects.

    Apple's XProtect warning window
    Apple's XProtect only shows this window and offers options to Open, Cancel, or Eject/Trash the file. Ryan Naraine / ZDNet

    Therefore, if you have not installed a full malware scanner there is no reason for one to run on your system. And if you have installed one, such as VirusBarrier X6, Norton, Kaspersky, or Sophos, you should recognize it as the package you have installed.

    Know what software you have installed on your system, and always download it from a reputable location only (such as the Mac App Store, a company Web page, or CNET's download.com).

  2. Is it a Web page?
    If a scanner suddenly appears in the foreground and starts showing activity, look in the top left of your screen next to the Apple menu to see what program is running in the foreground. If Safari, Mail, or another Web browser or e-mail client is running, try quitting it. If the scanner disappears after you do this then you'll know it was a scam.

    Both Safari and Mail will render Web content, and given the advancements in JavaScript and other Web-based scripting languages, a Web page can be made to look very much like a local application. However, keep in mind that anything running in your Web browser or e-mail client will have exceptionally limited access to your system. Therefore it will not be able to scan your system for files or malware, and it will shut down when the parent browser or e-mail client is quit.

  3. Do the "infected" files exist?
    These malware programs and sites tend to provide you with a list of "infected" files on your system. You can use Spotlight to perform a search for these files by name and see if they actually exist on your system, and whether attributes like file size match what the scanner is reporting (they likely will not).

  4. Is it ultimately asking you for something?
    If a legitimate malware scanner locates malware on your system, it will remove or quarantine it, and will not request you to download an update or pay for an upgrade to manage the located threats. Even if a scanner appears legitimate, if you find you have to provide something to the scanner in order for it to complete its job (even an admin password) then it should not be trusted.

Overall, OS X is known to be virus-free and worm-free, but that does not mean it is malware-free, though to date all malware for OS X has been of the type that's installed by tricking the user. There are numerous types of malware, with the most common ones being Trojan horses, which like any false advertisements on the Web and in e-mail have been a plague for Internet users for years.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.