OSX/SurfBuyer: Real malware is in the eye of the device holder

Should software only be called malware only if it tries to damage the device or steal private data – or is tracking the user and flooding them with unwanted advertisements enough to get this negative label?

SurfBuyer, an adware developed for Apple’s MacOS, does just what every adware family out there does: it generates pop-ups, banners and other kinds of annoying advertisements. Many users mistake SurfBuyer for virus or worm because of the annoying and intrusive mode it operates.

But Surfbuyer’s behavior and consequences are really far from that of any normal malicious software. Most malware families typically do some harm to the targeted user PC: They can blackmail the user, lock up some files in case of Ransomware virus, steal personal data (bank accounts, login credentials), and more.

SurfBuyer can just track user browsing data and based on this bombard the browser with ads that fit that specific profile. In a worst-case scenario, some of the presented ads could redirect users to pages that contain a full variety of cyber threats like Ransomware or Trojans.

A questionable – but profitable – strategy

This adware is questionable initially because of the way it gets installed on a user’s machine. Most users are not aware that SurfBuyer is included in the software they’ve agreed to install on their devices. Since SurfBuyer doesn’t have the ability to infiltrate on other systems on its own, it is basically the users who, knowingly or not, permit its installation. This behavior and packaging precisely fits the Avira definition of a Potentially Unwanted Application. LINK

If you’re wondering “Ok, adware, adware, but where is the money?” the answer is quite simple: the developers who agree to spread ad-displaying software such as SurfBuyer earn money for it. This is a well-known marketing strategy called pay-per-click. The total amount of money is based on the number of the generated ads and as well as the clicks (accidentally or not) on those ads.

With SurfBuyer, the recipient just sees the ads. The application usually does not have a user interface so the user is not aware of what they have just installed in the background as part of the Mach-O executable i386 shown below.

The application

Fig. 1 – executed sample
Fig. 2 – executed sample – info

After execution, the sample creates a temp file mmLaunchMe in /private/tmp/.

Fig 3 – dropped file in temp folder
Fig. 4 – dropped file – file type

After the installation is finished, the user is bombed with ads:

Fig. 5 – Ads appearing after installation

Some SurfBuyer packages do have a user interface that appears when a frustrated device owner tries to remove it.

Fig. 6 – Another SurfBuyer sample – with user interface

Other SurfBuyer bundles are structured to download and installing multiple PUA applications. Two common examples are Advanced Mac Cleaner and MacminiSearch.

 

After executing the sample, Advanced Mac Cleaner app automatically launches, falsely alerting the user that their computer is at risk – typical PUA behavior.

Fig. 8 – Advanced Mac Cleaner (PUA) installed by Surfbuyer

But is SurfBuyer really malicious malware or not?

The correct answer is simple: It does not matter. It is up to the user to decide – what do you want?

Most device owners which have experienced SurfBuyer find it highly annoying. While a few people might think they’ll find some great deal, the usual result is a disturbed browsing experience or, in some extreme cases, an impossible browsing experience.

No, SurfBuyer is not malicious in the traditional sense because it does not affect anything inside the operating system. It doesn’t steal data, it doesn’t encrypt the hard drive, and it doesn’t blackmail the end user. Still, our professional advice is to uninstall this or any ad-generating program as the ads take a toll on your peace of mind and privacy.

Avira makes this easy, detecting this thread as OSX/SurfBuyer and preventing its installation on user’s systems.

 

 

Reference article: macworld.com/article/3237757/macs/adware-the-most-prolific-form-of-malware-on-macos.html