Home Malware Programs Mac Malware OSX/SurfBuyer


Posted: June 26, 2019

OSX/SurfBuyer is an adware program that generates advertising content for the users while they're browsing the Web. Although it lacks sufficiently invasive behavior for classifying as a Trojan, malware experts rate it as being an Adware or Potentially Unwanted Program or PUP that can cause security issues. Users wishing to uninstall OSX/SurfBuyer or avoid an unwanted installation can use appropriate security software for doing so.

Surfing on a Crest of Pop-Up Advertisements

Adware isn't just a problem for Windows users, and software that delivers unwanted advertising is a periodic sight on both Linux and MacOS-based systems, too. OSX/SurfBuyer is a traditional case of adware, with features and functionality that imply lack of consent on the user's part without going sufficiently far that it's classifiable as being an outright Trojan. What does make OSX/SurfBuyer a little more unique than its competitors, however, is its latest arrival method of OSX/Linker.

The threat actors making good use of OSX/SurfBuyer for Pay-Per-Click profits are switching over to using the second threat, which is an actual Trojan, for bypassing the Gatekeeper file-filtering system of MacOS environments. This installation method runs around security protocols by using archives or images for packaging and referencing code on remote servers for downloading and installing OSX/SurfBuyer adware. The structure of the drive-by-download attack keeps the file from becoming flagged as unsafe.

After getting onto the user's computer, OSX/SurfBuyer conducts behavior that malware analysts see in most kinds of adware similarly. It tracks Web-surfing activity for browsers like Safari and uses that information for selecting advertisements, including pop-ups. Unlike some, more invasive adware, OSX/SurfBuyer's content includes labels referring to the add-on and helping the user to identify the source of this content.

Not Buying What Software Exploiters are Selling

The threat actors with the closest ties to OSX/SurfBuyer campaigns are testing variants of the OSX/Linker Trojan that use disguises of fake Flash updates. This tactic is one that users can avoid by making sure that any download and update links that they use have authorization from the relevant company, such as Adobe. Traditional anti-malware products may block the Trojan before it drops OSX/SurfBuyer, although there are no relevant security updates for Gatekeeper at this article's date of writing.

Adware isn't always solitary, and malware researchers do see other threats and Potentially Unwanted Programs arriving with it, such as:

  • Advanced Mac Cleaner, a junk file cleaner.
  • MacminiSearch, a search engine service.

These programs are not classifiable as being Trojans currently, but the latter may interfere with your navigation by changing your search results, and the former may deliver inaccurate analyses on your computer's files or performance issues.

Various installations of OSX/SurfBuyer may eschew the UI or display misleading uninstallation prompts. Users can guarantee safe removal of OSX/SurfBuyer by using appropriate anti-adware or anti-malware tools but should close all Web browsers beforehand.

There are a million adware add-ons like OSX/SurfBuyer, but not millions of them riding the latest vulnerabilities. Mac users that think patching software will take care of all their problems may wake up to find pop-up advertisements telling them otherwise.