Skip to main content

Mac browsers hit by new Yontoo adware trojan

Researchers have uncovered a new Trojan, dubbed Yontoo, that installs adware on the browsers of infected systems with just a few clicks.

Russian anti-virus firm Doctor Web outlined how the scam works on Macs, but said that a similar scheme is also targeting Windows PCs.

One of the ways Yontoo traps its victims is with the promise of movie trailers. Before users can "watch" that trailer, however, scammers require them to download a plug-in that really only installs Yontoo.

"After clicking on 'Install the plug-in,' the user is redirected to another site from which Trojan.Yontoo.1 is downloaded," Doctor Web said. Criminals, however, have also spread Yontoo with promise of a media player, a video quality enhancement program, or a download accelerator.

Yontoo will ask users via a pop-up window (above) if they want to install "Free Twit Tube." But if the user clicks "continue," the Trojan downloads and installs itself as a plug-in for Safari, Chrome, and Firefox on the Mac.

"While a user surfs the web, the plugin transmits information about the loaded pages to a remote server," Doctor Web said. "In return, it gets a file that enables the Trojan to embed third-party code into pages visited by the user."

Doctor Web showed a screen shot of (above), which included bogus "DropDownDeals" for Apple products.

Doctor Web added Yontoo to its virus database on 15 March.

These types of attacks have been around for some time on Windows. But as Doctor Web noted, "adware for Mac OS X has been increasing in number since the beginning of 2013" and Yontoo is the most prominent.