macOS usually does a pretty good job of protecting against malware (usually adware), and when one slips through the cracks, anti-malware apps like Malwarebytes do a good job of removing it.
However, occasionally a really nasty piece of code comes around, and proves tough to get out of your Mac’s system. Malwarebytes’ blog (via 9to5) warns of a new version of Crossrider adware that has a new way to prevent itself from being removed. Surprise, surprise, it poses as a Flash Player installer to plant itself on your system.
A new variant of the Crossrider adware has been spotted that is infecting Macs in a unique way. For the most part, this variant is still quite ordinary, doing some of the same old things that we’ve been seeing for years in Mac adware. However, the use of a configuration profile introduces a unique new method for maintaining persistence.
Persistence is the goal of most malware. After all, what good is it to infect a machine if the malware stops running as soon as the computer restarts? There are some cases where that can still be useful (ransomware, for example), but in most cases, that’s not desired behavior. So malware creators are often stuck using the same old methods of persistence that are easy to spot. Sometimes, though, they get creative.
To protect itself, the malware changes your homepage in both the Safari and Chrome browsers, and it doesn’t allow you to change it back or to another page.
After removing Advanced Mac Cleaner, and removing all the various components of Crossrider that have been littered around the system, there’s still a problem. Safari’s homepage setting is still locked to a Crossrider-related domain, and cannot be changed.
It turns out that this is caused by a configuration profile installed on the system by the adware. Configuration profiles provide a means for IT admins in businesses to control the behavior of their Macs. These profiles can configure a Mac to do many different things, some of which are not otherwise possible.
In the case of this Crossrider variant, the configuration profile that is installed forces both Safari and Chrome to always open to a page on chumsearch[dot]com. This also prevents the user from changing that behavior in the browser’s settings.
It proves tough to track down on your system profiles and delete.
This profile installs with an identifier of com.myshopcoupon.www, which is not visible in System Preferences. However, the profile can definitely be identified by scrolling through the details and looking for references to chumsearch[dot]com.
When you’ve finally found it, you can delete it and restart your Mac and then change your homepage back.
The Malware blog offers step-by-step details on how to remove this bit of trash.