Mac malware installer automatically grants access to keychain

A researcher published a zero-day vulnerability in OS X in July without giving Apple preemptive warning or notification. Following that news, Malwarebytes discovered an adware installer exploiting the flaw.

Apple patched the OS X DYLD_PRINT_TO_FILE bug, but now, Malwarebytes is reporting that a new variant of the adware installer has surfaced. This time, however, it is no longer blocked by OS X anti-malware protections.

The updated installer, when executed, slips an installer window into the process that asks for permission to access the user's keychain. It is automatically clicked as soon as it appears, which allows the installer to gain access to the Safari Extensions List. This lets it install a Genieo Safari extension.

But far more concerning, the researcher wrote, is it could easily be modified to gain access to other things from the keychain, including a user's iCloud password.