After analyzing what it calls an aggressive sample of bundleware, security solutions firm Sophos discovered that the “unscrupulous software installer” carried a total of seven potentially unwanted applications (PUA) including three that targeted the Safari web browser for the injection of ads.

Bundleware drops multiple unwanted applications under the guise of installing one legitimate application and targets macOS Catalina users.

The company found that the installer belongs to the Bundlore family, a common macOS bundleware installer family, which accounts for nearly 7% of all attacks against the macOS platform detected by Sophos.

Sophos updates endpoint detection, response solution to quickly identify, respond to threats

Sophos: Companies must create strong cybersecurity culture

It has earned the reputation of being the second most common “badware” threat affecting macOS (with Genieo ranking first). Bundlore is also a common threat to Windows, primarily carrying extensions for Google Chrome and some of the code used to target Chrome is shared with the macOS, which targets versions of the adware.

The Bundlore sample analyzed contained multiple Safari extension payloads, including two in the new App Extension format. According to Sophos, extensions, by their nature, can process and modify the content of web pages viewed in Safari. These extensions, however, were “adware.” They contained code that injected new advertisements and links, including download links, and even redirected search queries from select search engine webpages. Code pulled from a remote server in support of two extensions also revealed some of the details of how these adware tools make money for their developers.

Potentially unwanted applications

“PUAs go beyond just injecting ads into websites, they’re redirecting where a user’s browser searches are sent for the purpose of stealing clicks for money and even changing links for software downloads,” said Xinran Wu, senior threat researcher at Sophos. Users should exercise caution when downloading software from unknown sources and stay alert when an unfamiliar app tries to install Browser Extensions,” said Xinran Wu, Senior Threat Researcher at Sophos.

PUAs are among the most common privacy and security threats to macOS. Since they can potentially steal personal data and act as a pathway for malvertising and other malware, Sophos (and other endpoint protection products) block PUAs as a rule.

Apple’s XProtect feature in macOS also blocks known Bundlore payloads, and Apple revokes the developer signatures associated with them as well, blocking them from execution on current macOS versions.