The Mac Defender virus that has plagued Apple since the beginning of May has mutated into a more dangerous strain, according to security firm Intego.
Several variations of the fake antivirus malware have appeared since Mac Defender first emerged, but Intego claims the latest is more of a threat because it no longer needs an admin password for installation.
“Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program,” the company said on its blog.
“Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed," the post said.
“This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.”
Intego said it was grading the issue as a medium-level threat, partly because the widespread attention to the virus had led to SEO poisoning, with malware sites appearing high in search results.
According to Intego, the new variant comes in two parts. Firstly, a downloader and installation package called avSetup.pkg downloads automatically from poisoned websites.
The second part of the malware is a new version of the MacDefender application called MacGuard that avRunner downloads from an IP address that is hidden in an image file in avRunner’s Resources folder.