MacDownloader malware targeting defense industry

PUP Friday: Nikoff Security

My attention was drawn a few weeks ago to a group of 6 apps in the Mac App Store, all made by someone named Nicholas Ebner. Part of what drew my attention was the name of one of the apps: Adware WebMedic Pro, suspiciously similar to the name of my old AdwareMedic app. This would not be the first time someone has tried using that name with a junk app, so I was immediately suspicious.

I downloaded the app and ran it through its paces, and quickly my suspicions were confirmed. The first thing I did was run its malware scan against 83 different adware and malware files, all installed into the right places in the user folder (which is the only place this app can scan).

The app came up with a number of detections… but when I reviewed them, it turned out that they were all components of the flashmall app installed into the user Applications folder. Odd components, too, in some cases… it detected things like the logo file inside the app as malicious. (It is not.)

Everything else was missed. Interestingly, though, a check afterwards showed that there were only 53 threat files remaining. Where had those other things, which hadn’t been detected, gone? Some investigation showed that the app simply deleted the LaunchAgents folder and Firefox’s searchplugins folder, regardless of what was inside them.

Its “web protection” feature simply does things like blow away browser settings, caches, etc, as well as zapping all browser extensions – regardless of whether they are legit or not.

nikoff-webmedic

It’s also worth noting that the app will pester you to either rate the app or go to the company’s website… with no option to do anything else.

nikoff-webmedic2

Click “Yes” and you’ll be taken to the App Store. Click “No” and you’ll be taken to the Nikoff Security website and prompted to contact them. There is no other way to close that window, or even quit the app, without clicking one of those buttons.

A couple of the other apps made by this company – Adware Scanner & Remover and Adware Browser Cleaner Pro – appear to simply duplicate subsets of the functionality of Adware WebMedic Pro. Adware Scanner & Remover performs the same “malware scan” function, while Adware Browser Cleaner Pro does the “web protection” part.

Another pair of apps popped up a week or so later: AntiKeylogger Doctor and AntiRansomware Doctor, each one $4.99 at the time of this writing. Some quick testing showed that they are junk as well.

AntiRansomware Doctor was trivial to test, since there’s only been one ransomware app (KeRanger) for the Mac to-date. I copied a KeRanger-infected copy of Transmission onto the desktop, and also installed the malicious kernel_service file that KeRanger copies into the user’s Library folder. AntiRansomware Doctor did not detect any part of it.

nikoff-antiransomware

Similarly, I installed several different common Mac keyloggers and then ran AntiKeylogger Doctor, and it also reported that the system was clean, failing to detect any of the installed components.

The sixth and final app is called Antivirus Spartan Pro, and it is promoted by each of the other five apps, all of which feature a very prominent ad for this app at the bottom of their main windows. So, what does that app look like?

Antivirus Spartan Pro was originally a paid app, but has recently been made free, “for limited time only” according to its App Store page. (Which made it cheaper to analyze it!)

Antivirus Spartan Pro functionality encompasses all the functionality of the other apps – which is to say little to none. However, since it specifically markets itself as an anti-virus app, I threw one additional test at it. I installed all the major Mac malware from this year: KeRanger, Eleanor, Keydnap, AdwindRAT, and Mokes. All install files in the user folder, so all should be detectable even to an App Store app. Antivirus Spartan Pro detected none of them, telling me that the system was clean.

Once it was established that these apps were all junk, I got interested in tracking down the creator. According to the App Store, the developer is someone named “Nicholas Ebner.” The apps themselves direct the user to a Nikoff Security website, which is based in Romania. Unfortunately, the site’s ownership is hidden behind a privacy service, so that’s the extent of what was known.

There was one tantalizing – but completely unsubstantiated – hint that suggested that “Nicholas Ebner” may be a pseudonym. On two separate websites, Antivirus Spartan Pro was listed as being developed by a Nicolae Popescu:

nikoff-popescu

Interestingly, there is a Nicolae Popescu, from Romania, who is wanted by the FBI for fraudulent online auctions. It is possible that Popescu has moved on to creating scam apps, and has failed to entirely cover up his involvement with these apps. And then again, this could very easily be a different Nicolae Popescu, or even an error made by one of these two sites and picked up by the other. We can’t know for sure, because that’s where the trail ran cold.

In any event, these apps are all PUPs, and will be detected by Malwarebytes Anti-Malware for Mac as PUP.NikoffSecurity.

ABOUT THE AUTHOR

Thomas Reed

Director of Mac & Mobile

Had a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.