Despite Apple’s security guarantees, the company authorized a known malware to run on the Mac operating system, according to security researcher Patrick Wardle. Working with Mac user Peter Dantini, Wardle discovered that Apple accidentally approved a prevalent macOS malware disguised as a Flash Player Update. Malware in Mac OS is not a rare scenario anymore. However, malware that targets Mac isn’t as well-developed as viruses found in Windows. The downside is that the threats on Mac system are evolving and the culprits inhabiting the invisible web are progressing in terms of their capabilities to damage the OS by developing their strategies. The best malware removal software available right now is: Malwarebytes Premium If you're suffering from a malware infection and free software isn't getting the job done, Malwarebytes Premium could.
Browser hijackers are among the most common types of malware on both Mac and PC. They present themselves as a better way to surf the web or even ‘the perfect way to surf the web’ but in reality harvest your browsing data, redirect your browser, and display adverts for questionable products and services. SafeFinder is one such browser hijacker.
What is SafeFinder?
Just like real viruses, computer viruses also mutate. The creators behind SafeFinder may soon change certain details about this virus to evade detection. So technically, it doesn't matter if the virus is called 'Safefinder', 'EasySearch', or has any other fake name. What we deal with is the whole category of malware that overtakes your browser search.
Name | SafeFinder search redirect |
Category | macOS browser hijacker, adware redirect |
Also known as | SafeFinder for Mac, SafeFinder.biz |
Symptoms | Overrides the default search engine, displays ads |
Infection method | Flash Player updater, pirated apps |
System damage | Installs malicious profiles, hijacks Safari preferences |
Removal | CleanMyMac X anti-virus, Malwarebytes |
The SafeFinder virus is a category of malware known as a ‘potentially unwanted program’ or PUP for short. PUPs can take many forms but the one thing they have in common is that they are usually downloaded inadvertently because they are bundled with apparently legitimate software.
In SafeFinder’s case, once downloaded and installed, it hijacks your web browser, in much the same way as Chumsearch and Any Search. When you launch your web browser after SafeFinder has installed itself, your homepage will have changed to search.safefinderformac.com, search.macsafefinder.com, or search.safefinder.com. When you type a search query into the box, the search is eventually redirected to Yahoo, but in the meantime SafeFinder may have gathered information from your browser and forwarded it to a central server. It may also display adverts and slow down your browser. So how to get rid of SafeFinder? First, we’ll perform some diagnostics.
How to tell if SafeFinder has infected your Mac
The most noticeable change will be what you see as soon as you launch a web browser, its homepage has been changed to a web address that includes the term ‘safefinder’.
The most common way that browser hijackers are downloaded is by bundling with other apps or tools. In SafeFinder’s case, it appears like it is bundled in media apps named NicePlayer or MPlayerX. The latter used to be one of the best media players on the Mac for playing files directly from a high-definition digital video camera and is still in the Mac App Store. However, it hasn’t been updated in several years and it appears that hackers now use it to bundle malware. So you shouldn’t download it from anywhere other than the Mac App Store.
Microsoft office suite for macbook pro. The last few versions of macOS have a tool called GateKeeper which allows you to only download apps from either the Mac App Store alone, or the Mac App Store and developers whom Apple trusts. Macbook must have apps 2016. However, it is possible to override GateKeeper on a case-by-case basis, and if you’re running an older version of macOS, you won’t be protected at all.
How to remove SafeFinder from your Mac
Step 1: Remove SafeFinder from your Applications folder
- Go to your Applications folder and look for any apps that you don’t recognize or that look suspicious. In particular, look out for apps with SafeFinder in their name, as well as NicePlayer, and if you haven’t downloaded it from the Mac App Store, MPlayerX.
- If you find any apps in step 1, drag them to the Trash and empty it.
- Launch System Preferences from the Apple menu.
- Look in the bottom row for a pane called Profiles. If it’s there, click on it.
- Click on the profile called ‘AdminPrefs’ and press the ‘-‘ at the bottom of the window to remove it.
Step 2: Check your Login Items
Some PUPs add themselves to your Login Items so that they launch at startup. Although you’ve now removed SafeFinder, for completeness you should also remove its Login Item.
- Go to System Preferences and choose Users & Groups.
- Click on your username and then the padlock, and type in your password.
- Choose the Login Items tab, check the box next to the SafeFinder Login Item and then press ‘-‘
Step 3: How to remove SafeFinder your browsers
What we'll do is reset the homepage to its default state.
Remove SafeFinder from Safari
- Launch Safari, click on the Safari menu and choose Preferences.
- Select the General tab and next to ‘Homepage’ type the URL of the site you want to use as your homepage.
- Select the Search tab, and choose the search engine you want to set as the default.
Also, you need to remove Safari preferences. This is a special log book that's located in Library on your Mac. Don't worry, if you delete the infected Preference file, it will be auto-created without virus entries in it.
Click on the Finder and choose Go in the top menu.
Choose Go to Folder..
Paste in:
Click on the Finder and choose Go in the top menu.
Choose Go to Folder..
Paste in:
Delete the file — if it's there. Restart your Safari browser.
Step 4: Remove SafeFinder from Chrome
- Launch Chrome.
- Choose the Settings icon in the left of the window (it looks like three horizontal lines stacked on top of each other), or type “chrome://settings” into the address bar.
- Select “on startup” and check the button next to Open a specific page or set of pages.”
- Press the “More” button (three dots, one above the other).
- Choose “edit” and type or paste the address of the homepage you want to use into the text box.
- Click Save.
- Choose Settings again and select “search engine.”
- Click on “manage search engines” and press the “more” button next to SafeFinder and choose “remove from list.”
- Select the dropdown menu next to “Search engine used in address bar” and choose the search engine you want to use.
How to remove SafeFinder in a click
If all that seems like a long process, there is another options. CleanMyMac X has a malware removal tool that can remove SafeFinder at the click of a couple of buttons. It works like this:
- Download the free version of CleanMyMac X (Apple-notarized edition).
- Choose Malware Removal and press Scan.
- When it finds SafeFinder, press Remove.
And that’s it, gone. The malware removal tool uses a regularly-updated database to check whether what it finds on your Mac is malware. If it finds it, you can remove it quickly and easily. If it finds nothing, it will give your Mac a clean bill of health and you can relax.
Other ideas to try
- Uninstall your browsers and download them again.
- Create a new user profile on your Mac.
- Roll back your Mac to the past state using Time Machine.
SafeFinder is a browser hijacker that takes the form of a PUP. It’s most often bundled with seemingly legitimate software and installed without the user even noticing. The only sign that you have the SafeFinder virus is that the homepage of your web browser will redirect to a SafeFinder search page. Fortunately, it’s not too difficult to remove it, though if you use several different browsers, you’ll have to remove it from each one. The easiest way to remove it, however, is to use the malware utility in CleanMyMac X which will identify it and allow you to remove it quickly.
These might also interest you:
Newsletter
Subscribe to our Threatpost Today newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Infosec Insider Post
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Apple Approved Malware Removal Options
Sponsored Content
Apple Approved Malware Removal Windows 10
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content. Apple os 10 14 mojave.