The Latest in IT Security

A Walkthrough of a FAKEAV Infection in Mac OS X


For some years now, FAKEAV has been a plague in Windows systems. It’s only recently that this variant has entered the Mac OS X scene. As was the case with Windows-based FAKEAV, the most common infection vector for Mac FAKEAV is through poisoned search terms.

Take for example the following poisoned search result:

Accessing the website while using a Mac will lead the user directly to the following page:

Clicking “OK” in the above page leads to a page which supposedly scans for any virus in the system.

After the fake scan is done, it reports the extent of the “infestation” that the user’s Mac system suffers.

As you may have noticed, the above page emulates closely the Mac OS X’s Finder app, whereas the FAKEAV “scanning page” for Windows tries to emulate Windows Explorer.

Clicking on “Remove all”, or any part of the above page, results to a download of the file This .ZIP file contains an Installer Package file (.pkg), which if executed installs and runs a downloader application in the system’s Applications folder. This downloader application eventually downloads the actual FAKEAV app.

The first thing that the FAKEAV application does is to display a loading screen.

The FAKEAV application then scares the heck out of the user.

Take note, however, that there might be some bugs in this particular FAKEAV software. The “Infected Object/File” is “[” and the word Trojan is not spelled right. Though the scary notifications in red, found in the upper right hand of the screen may do the trick.

When the user is scared enough that he/she will click on “Cleanup”, the FAKEAV app prompts that the current copy is “unregistered”.

Clicking on “Register” displays a prompt where the user could enter a serial number.

In case the user does not have a serial number, there’s still the convenient “Buy” button. Clicking on it loads the purchase page.

The page asks the user to choose among the available software licenses (the price of the “Lifetime” license is a steal!). Most importantly, the page asks for the user’s credit card information.

Entering your credit card details is an easy way for criminals to steal your credit card information. Users who entered their credit card details in the above page basically give these important pieces of information on a silver platter to the criminals behind this notorious scheme. With the criminals in possession of the user’s credit card details, victims are now more susceptible to identity theft. What’s worse is that the victims did not buy any real security software – after all, these variants are not named FAKEAV for nothing.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments