Yontoo Trojan horse injects ads as you surf with popular Mac browsers

The particulars change, but the general rule doesn’t: Don’t install software you’re not certain you can trust. A new Trojan horse targeting Mac users tries to trick you into installing it by prompting you to install a browser plug-in when you visit a compromised or malicious webpage.

Dr.Web, a Russian anti-virus and security company, dubs the malware Trojan.Yontoo.1. Unknowing Web surfers who attempt to view video trailers are told that a necessary plug-in is missing. If you click to get the plug-in, an installer for something called FreeTwitTube appears.

But rather than installing FreeTwitTube, the software instead installs a Yontoo plug-in for Safari, Chrome, and Firefox. The plug-in inserts ads and other content onto other webpages as you surf. The real risk with browser extension-based malware is that such extensions can easily access and execute remote code—and monitor the URLs you visit, along with the content of those pages. It doesn’t appear that Yontoo does that... yet.

You can check if you’re a Yontoo victim by reviewing your browser’s installed plug-ins. Deleting the extension should be enough to rid your Mac of the malware.

Screenshots courtesy Dr.Web.

Shop ▾
arrow up Amazon Shop buttons are programmatically attached to all reviews, regardless of products' final review scores. Our parent company, IDG, receives advertisement revenue for shopping activity generated by the links. Because the buttons are attached programmatically, they should not be interpreted as editorial endorsements.

Subscribe to the Apple @ Work Newsletter