Yontoo Trojan Used to Inject Advertisements in Browsers on Mac OS X

A new Mac OS X Trojan that injects advertisements in browser has been identified by Bitdefender’s Mac OS X researchers.

This piece of malware does not attack the operating system, but rather disguises itself as a plugin for watching web videos to lure unwary victims into downloading, executing and installing a number of browser plugins for Safari, Chrome and Firefox.

The infection occurs when the user visits an impersonated video website and is asked to install a video player plugin to render the multimedia content. Instead of the promised plugin, the user gets a silent version of the Yontoo Installer, which deploys Yontoo.safariextz, YontooFFClient.xpi and YontooLayers.crx.

Once injected into the browser, these plugins can modify the HTML contents of the visited page as it gets rendered on the screen, and it injects advertisements from partner websites relevant to the profile of the site visited. These advertisements are probably linked to affiliate marketers who get a cut every time the user purchases anything by clicking through the ads.

Unlike conventional affiliate marketing, these banners can be injected into practically any page, including that of the product’s manufacturer. Chances are the user will actually click the banner when looking for products or goods in the belief it is being displayed by the site owner or company.

If you have stumbled upon this, don’t help the bad guys raise money. Instead, install an antivirus and keep your shiny Mac clean. We detect this threat as MAC.OSX.Trojan.Yontoo.A and block it before it infects your browser. You can get the lightweight version of the scanner for free via the App Store, or you can purchase Bitdefender Antivirus For Mac from the Bitdefender website.