Security researcher discovers popular Mac applications riddled with malware
Security researcher Alex Kleber has disclosed that seven different Apple developer accounts have abused the Apple Mac Store to distribute malware-infested applications.
The developer accounts and applications and developer accounts associated with them are listed below with their rankings.
- PDF Reader for Adobe PDF Files — Sunnet Technology Inc — Top #1 US Chart Education
- Word Writer Pro — Netozo Limited — Top #52 US Chart Business
- Screen Recorder — Safeharbor Technology L Ltd — Top #12 US Chart Education
- Webcam Expert — Wildfire Technology Inc — Top #68 US Chart Photo & Video
- Streaming Browser Video Player — Boulevard Technology Ltd — Top #8 US Chart Entertainment
- PDF Editor for Adobe Files — Polarnet Limited — Top #11 US Chart Business
- PDF Reader — Xu Lu — Top #25 US Chart Productivity
Kleber said the same Chinese developer created most of the applications published under these accounts.
The developer changed the applications’ code remotely once the Apple review team approved it.
Kleber explained this technique lets the developer change an application’s user interface after it passes the Apple team’s review.
The researcher analysed the “PDF Reader for Adobe PDF Files” application and found it would launch and only let users do one thing — update the application.
This would initiate the user interface change by activating the malicious code embedded in the application.
Kleber said there is no option to cancel or exit the update window.
“The user will not be able to quit the application without clicking that button — the only way to quit the application is by terminating the process using Activity Monitor.”
He said the applications would require users to pay for a subscription plan to use them.
According to Kleber, bad actors would spam copycat applications from different developer accounts to gain as much market share as possible.
He also noticed a pattern indicating that these applications use fake 5-star reviews to dupe consumers.
“The pattern resides in the review text like the strange repeated use of all-caps APP, repeated use of “we” and “us” as if the reviewer is representing an organisation.”
“Most of the 5-star reviews in the US App Store appear to be non-native English,” Kleber said.
Since Kleber’s report, Apple has removed the malicious applications and fake reviews from the Mac App Store.