But it could also be used to direct users to content that might be harmful to their privacy or security. This allows the operator to cash in on a referral for delivering the search. For example, a visit to one search site might be redirected to a look-alike site, or to a site with an API-based connection to the original site. In some cases, adware browser extensions can completely replace websites with another. Because they change the page from within the browser itself, the user gets no security warnings about mixed content on the page.
Safari extensions code#
They can also change links on pages to redirect them, stealing “clicks” to get paid for forwarding a “customer” to a specific site or download through an affiliate code added to the referring link. Adware allows them to directly publish advertisements and collect payment for views like a traditional advertising network-and advertisers can bypass things like content review for malicious scripts (“malvertising”). Adware Economicsīundleware operators like Bundlore profit from their installers in several ways. Still, Macintosh users-like all computer users-should remain vigilant about installing downloaded software, as adware and PUA developers constantly create or subvert new developer accounts to avoid being blocklisted and alter their installation tactics. A macOS log of adware (in this case, M圜ouponSmart) being blocked from running because of a banned developer code signature. Apple’s XProtect feature in macOS also blocks known Bundlore payloads, and Apple revokes the developer signatures associated with them as well-blocking them from execution on current macOS versions. Since they can potentially steal personal data and act as a pathway for malvertising and other malware, Sophos (and other endpoint protection products) block PUAs as a rule. PUAs are among the most common privacy and security threats to macOS. And code pulled from a remote server in support of two extensions also revealed some of the details of how these adware tools make money for their developers-listing dozens of search affiliate names related to the ad injector and search modification payload, and affiliate codes used to profit from visits to other sites. These extensions, however, were “adware”-they contained code that injected new advertisements and links-including download links- and even redirected search queries from select search engine webpages. Extensions, by their nature, can process and modify the content of web pages viewed in Safari. The Bundlore sample analyzed contained multiple Safari extension payloads, including two in the new App Extension format. What makes the recent macOS samples we found stand out from previous Bundlore versions is the way that they have been updated to keep up with the recent changes in macOS and Safari-in particular, Apple’s changes in the format for Safari browser extensions. Bundlore is also a common threat to Windows, primarily carrying extensions for Google Chrome-and some of the code used to target Chrome is shared with the macOS-targeting versions of the adware. Bundlore is one of the most common “bundleware” installers for the macOS platform-it accounts for nearly seven percent of all attacks against the macOS platform detected by Sophos, making it the second most common “badware” threat affecting macOS (with Genieo ranking first). We’ve identified the installer as belonging to the Bundlore family, a common macOS bundleware installer family. The injected content in at least one case was used for malvertising-popping up a malicious ad that prompted the download of a fake Adobe Flash update. This installer carried a total of seven “potentially unwanted applications” (PUAs)-including three that targeted the Safari web browser for the injection of ads, hijacking of download links, and redirecting of search queries for the purpose of stealing users’ clicks to generate income.
Safari extensions software#
We recently analyzed a particularly aggressive sample of what we refer to as “bundleware”-an unscrupulous software installer that drops multiple unwanted applications under the guise of installing one legitimate application-targeting macOS Catalina users. They also frequently disguise their installers’ true contents to lure people into allowing them to drop their unwanted payloads.
Safari extensions free#
While they are usually legitimate software products with real companies behind them, these plug-ins can also be used by unscrupulous software developers as a way to turn downloads of free software into a revenue stream–dropping browser add-ons that gather information from the user, inject advertisements into websites they visit and even redirect searches and link destinations to the websites of paying customers. Browser add-ons are a common source of privacy and security concerns.