About a decade ago, many Mac users confidently claimed that they were wasting antivirus software "because Macs don't get malware."
They would admit that Mac malware was theoretically possible, but point out that they had never encountered problems themselves – problems they knew about anyway – and had never asked another Mac user to help them with a malware attack . They decided to completely ignore the rogue software problem.
Some Mac fans went a step further and said that Macs are immune to malware because they are based on Unix – Unix cannot get viruses because the operating system is completely different from Windows internally and is secure against malware by design.
The problem with final claims of this kind is that you only need a single example of Unix malware – which you could call proof of existence – to debunk the theory, such as the notorious Morris Worm, who shut down the Internet in November 1988.
Of course, we've written about Mac malware many times since 1988 – including zombies, data theft, ransomware, and many other types of badware.
Even Apple itself came to the antivirus party in 2009 when it introduced a rudimentary malware blocking tool called XProtect directly into OS X (now macOS).
Regardless of whether you called it malware or not, there have long been "software players" who are ready to track Mac users in the same way they have for Windows users for years.
Well, nothing has changed: even though you're more likely to be faced with malicious or unwanted software on Windows, you're not free and clear just because you're using a Mac.
In fact, SophosLabs has just released a fascinating new report on an adware threat known as Bundlore Mac users are very clear about that.
Bundlore itself is not new – Sophos products have recognized an adware family with this name on Windows and Mac since 2015 – but the operators behind it keep pace with the times.
As the name suggests, bundlore is not really an adware element, but what SophosLabs likes to call bundleware – a software installer that attracts you, for example with the promise that you will download, play, and organize third-party files and videos can, audio and other content. "
As you can see, the Mac version of the Bundlore installer, which arrives as a Mac DMG (disk image) file and presents itself as an app called WebTools, is going through a legitimate looking license acceptance process.
The license states that much of what happens next depends on what various undisclosed “third parties” might do, much like a search engine warns you that it cannot vouch for the content of the pages it believes you may be interested in .
For this reason, Sophos products do not recognize Bundlore as pure malware. However, Bundlore installers are blocked by default as PUAs (short for potentially unwanted applications), so you won't be surprised.
For example, on the installation screen above, SophosLabs determines that if you avoid the "express installation" described above and want to perform a "custom installation", its presence sounds reassuring, as if you were not being forced to do anything. then you don’t really choose it:
As the report explains:
PUAs are among the most common privacy and security threats to macOS. Sophos (and other endpoint protection products) typically block PUAs because they may steal personal information and act as a route for malvertising and other malware. Apple's XProtect function in MacOS also blocks known Bundlore user data, and Apple also revokes the associated developer signatures and blocks their execution under (…) macOS.
What you will learn
To learn how risky this type of innocent bundleware can be, please read the report that deconstructs the techniques used by the bundlore adware to change your browsing experience in a subtle and unsafe way.
In particular, newer versions of Bundlore for Mac simultaneously support older and newer versions of Safari on Mac, including browser plugins that work for all newer versions of macOS.
(Safari 13, which came with macOS 13, better known as Catalina, requires a different format for its browser plugins than Safari for older versions of macOS.)
Keep in mind that browser plugins work directly in the browser itself, so they can see web requests before they go out and web responses before they are processed for display.
This means that you can monitor and change your web traffic despite using TLS encryption (HTTPS, short for secure HTTP) because plugins are executed before the encryption is applied to outgoing traffic and after the encryption has been removed, incoming traffic .
SophosLabs looks at the details of two of these bundlore plugins, AnySearch and MyCouponSmart. The report describes how these plugins work in a style that is technical enough to be revealing, but not so technical that you need to be a web developer to understand the risks.
In particular, these plugins can hijack search results to earn partner credit for the Bundlore crew, completely change search responses to distort results, and rewrite download links to retrieve unwanted content:
(A) Dware operators diversify their sources of income. As the behavior of these scripts shows when replacing download links, adware operators are looking for new ways to use their control over the content of web browsers. This could lead to new data protection and security risks.
Be careful out there, people!
(While you're here, we're happy to let you know that Sophos Home can block malware, PUAs, and dodgy web downloads on Windows and Mac for free.)