The particulars change, but the general rule doesn’t: Don’t install software you’re not certain you can trust. A new Trojan horse targeting Mac users tries to trick you into installing it by prompting you to install a browser plug-in when you visit a compromised or malicious webpage.
Dr.Web, a Russian anti-virus and security company, dubs the malware Trojan.Yontoo.1. Unknowing Web surfers who attempt to view video trailers are told that a necessary plug-in is missing. If you click to get the plug-in, an installer for something called FreeTwitTube appears.
But rather than installing FreeTwitTube, the software instead installs a Yontoo plug-in for Safari, Chrome, and Firefox. The plug-in inserts ads and other content onto other webpages as you surf. The real risk with browser extension-based malware is that such extensions can easily access and execute remote code—and monitor the URLs you visit, along with the content of those pages. It doesn’t appear that Yontoo does that… yet.
You can check if you’re a Yontoo victim by reviewing your browser’s installed plug-ins. Deleting the extension should be enough to rid your Mac of the malware.
Screenshots courtesy Dr.Web.