Sophos uncovered Bundlore adware targeting macOS users with updated safari extensions. Under the guise of one legitimate application, many unsecure and unwanted apps were found as adware.
Bundlore is one of the most common “bundleware” installers for the macOS platform, accounting for 7% of total attacks received. This makes Bundlore #2 among the “badware” threats affecting macOS. Unsurprisingly, it’s also prevalent in Windows with Google Chrome extensions instead.
Sophos has recently analyzed an unscrupulous software installer which installs one legitimate application and drops multiple unwanted applications along. Sophos identified it to be part the Bundlore family, a common macOS bundleware installer family. This particular Bundlore has been found carrying a total of seven “potentially unwanted applications” (PUAs), three of which are damaging as Safari extensions. Two of the three were in the new App Extension format.
As extensions, it can process and modify the content of web pages viewed in Safari. However, these were adware. They contained code which were to inject ads, hijack download links, and redirect search queries of users to steal clicks for income. It even goes as far to maladvertising seen in a malicious ad that prompting a fake Adobe Flash update download. Some of the code even revealed how adware tools such as these make their developers money.
PUAs are one of the most common privacy and security threats to macOS. Sophos, as a leading cybersecurity firm, block PUAs as a nobrainer like other endpoint protection products. For macOS users to defend against these, Apple’s XProtect feature in macOS blocks known Bundlore payloads. Apple also revokes the developer signatures associated with them as well, blocking them from further execution on current macOS versions.
Learn more about the new Bundlore adware on the SophosLabs Uncut article.