Is the new Mac 'trojan' hitting OS X browsers really a trojan?
The debate over how susceptible Apple systems are to malware has been raging for years. With the rise of various forms of PUPs (potentially unwanted programs), the line between annoying adware and full-blown malware is becoming increasingly blurred. So blurred, in fact, that even the antivirus companies can't agree on whether one piece of malware is a trojan or not.
Antivirus firms are warning of a "potentially unwanted" adware programme which is using deceptive techniques to attach itself to Chrome, Firefox and Safari on Mac OS X.
The Yontoo browser plugin is published by Yontoo LLC, which describes itself as a US-based software company that "creates virtual layers that can be edited to create the appearance of having made changes to the underlying website".
The ambiguously addressed support page says that Yontoo works across IE, Chrome and Firefox on Windows and Safari, Chrome and Firefox on Mac OS X, stating that: "All your changes and edits will show up on any computer with Yontoo installed."
However, Russian antivirus company Dr Web classifies it as a trojan because of the deceptive methods its installation process uses.
Yontoo spoofs an Apple dialogue box used to seek permission to install a program. "After clicking on 'Install the plug-in, the user is redirected to another site from which Trojan.Yontoo.1 is downloaded," Dr Web says.
Fraudsters have rigged movie trailer pages that contain a prompt encouraging users to install a plugin needed to view the content. However, granting permission merely installs the Yontoo plugin.
"Yontoo has also been deceptively packaged as a media player, video enhancement software and a download accelerator, including an offer to install "Free Twit Tube", which again installs Yontoo. Once installed, it displays ads that would not otherwise appear," Dr Web says.
Not all antivirus companies are classifying Yontoo as a trojan, however.
Symantec assessed the Windows version of Yontoo as "potentially unwanted software". On Windows, the plugin installs a browser extension displaying advertisements that appeared to come from Facebook, Symantec said.
French OS X antivirus firm Intego also added a signature for the adware program because of the deceptive installation.
"If you also have a situation where these adware programs are being installed surreptitiously (without the user being aware or approving the installation), that's where it falls far enough into the darker side of grey to qualify for detection," said Intego's Lisa Myers.