Fake Google Chrome, Safari Updates Infecting Mac Computers With AMOS Malware

Fake Google Chrome and Safari updates for macOS are being used to infect Mac computers with the nefarious Atomic Stealer malware, also known as AMOS. Distributed to Mac owners as part of a social engineering campaign, AMOS can steal passwords, private files stored on a Mac. Users will need to stay alert and possibly use web protection tools in order to protect themselves from malware distributed by social engineering, as malware creators appear to be turning their attention to Mac owners.

Security firm Malwarebytes shared details of the latest version of Atomic Stealer, malware that is distributed to macOS users via ClearFake, a campaign that uses hijacked WordPress websites to deliver fake browser updates for Chrome and Safari. The distribution of AMOS via ClearFake to macOS users was recently spotted by Ankit Anubhav, a security researcher.

The fake Google Chrome update page shown to users
Photo Credit: Malwarebytes

The malware is distributed via hijacked sites that closely resemble the Google Chrome download page, and a fake Safari update page that uses outdated icons from older macOS versions. However, the rest of the webpage design might convince some users to click and download the malware, while the fake Chrome download looks more convincing.

When the user clicks the download button, the malicious .dmg file is then downloaded to the Mac computer, disguised as a browser installer. Once it downloaded and opened, the user is prompted to enter the administrator password that will run nefarious commands on the device, including stealing passwords from Apple’s Keychain and exfiltrate document, images, wallets and other data from the user’s desktop and documents folders on macOS.

In order to stay protected from the malware, users will have to make sure they use some form of web protection — such as the Safe Browsing setting inside Google Chrome. Doing so might block some of these malicious sites from loading altogether.

Meanwhile, users should avoid downloading installers for Chrome from unknown websites. These social engineering websites are aimed at fooling users who might find it difficult to discern which websites are genuine. A good rule of thumb is to check whether the address bar shows google.com. On the other hand, Apple does not distribute Safari updates outside of operating system updates, so there are no official downloads that can be installed by users.