There’s a new method being used for tricking Mac users into mistakenly installing Trojans… While browsing the web, a popup window opens that looks just like a Mac OS X Finder window. This fake Finder window will state something like “To help protect your computer, Apple Web Security have detected Trojans and ready to remove them.” or “Your system is infected. It’s highly recommended to cleanup your system to protect critical information like credit card number, etc”. The popup window will have a button that says something like “Remove All” or “Cleanup”.

If the user clicks on the “Remove All” or “Cleanup” button, an installer will be downloaded. If Safari is set to automatically download safe files, the installer may automatically download when the fake Finder window appears.

As with all Mac Trojans, the user must actually run the installer, and authenticate as an admin user. After installation, you will likely find an application in the /Applications folder named either MacDefender, MacProtector, or Mac Security. If you run these applications, they will appear to be legitimate anti-malware software, and after scanning your drive they will list numerous ominous sounding (yet fake) infections. Attempting to fix the infections will prompt you to purchase a license, which of course is a complete scam hoping to gather credit card information.

A high percentage of those who have accidentally installed one of these Trojans report they were browsing pictures in Google Images when the fake Mac OS X Finder window popup appeared.

Removing these Trojans requires more than just trashing the application. When they are installed, background user login and launchd user agents are added. These background processes will randomly open browser pop up windows, many containing adult themed content.

The free version of Sophos Anti-Virus for Mac Home Edition will find and remove Trojans like this, however I personally recommend uninstalling Sophos Anti-Virus after using it, because having it installed/active can cause numerous stability problems in general.