The Stack Archive

Hackers exploit MacKeeper flaw with new Mac OS malware

Tue 23 Jun 2015

A newly-discovered security flaw in MacKeeper, the controversial OS clean-up utility, is providing cybercriminals a backdoor to diffuse a new strain of Mac malware known as OSX/Agent-ANTU, according to researchers at BAE’s cyber security unit.

MacKeeper, which has been downloaded over 20 million times, was quick to patch the hole after it had been notified of the virus, but until users update their software they are still at risk of being attacked via the Remote Code Execution (RCE) bug.

Hackers were discovered to have been directing targets to an infected webpage, and using a single line of JavaScript they would send a command script to MacKeeper, which would then process it.

The download alert mimicked a malware report from MacKeeper and requested the user’s administrative password, giving the virus control over the entire system.


Lead security researcher Sergei Shevchenko said that it took only a few days after the flaw and proof of concept were disclosed for cyber crooks to begin injecting the malware via MacKeeper.

“The first reports on this vulnerability suggested that no malicious MacKeeper URLs had been spotted in the wild yet. Well, not anymore,” he said.

“Since the proof of concept was published, it took just days for the first instances to be seen in the wild … attackers might simply be ‘spraying’ their targets with the phishing emails hoping that some of them will have MacKeeper installed, thus allowing the malware to be delivered to their computers and executed,” explained Schevchenko.

The malware enables remote power over commands, uploads and downloads, and setting execution permissions. The bot can also gain access to system information such as details of VPN connections, user names, and lists of processes and statuses.

MacKeeper users are advised to update to version 3.4.1 to guard against the vulnerability.


Apple malware security VPN
Send us a correction about this article Send us a news tip