Yesterday, word surfaced of new malware targeting major browsers on the Mac platform with adware capable of injecting advertising into users##Q## browsing experiences. The malware, known as “Yontoo”, masquerades as a video plug-in or download accelerator in order to trick users into installing the package.
As noted by security firm Intego, Apple has already updated its “Xprotect” anti-malware system to recognize Yontoo and warn users who attempt to install it on their machines.
Apple has decided the Yontoo Adware has fallen too far on the side of undesirable behavior, as they have released an update to the XProtect.plist definitions file to provide Mac OS X with basic detection for the Yontoo adware as OSX.AdPlugin.i. In testing, it appears this detection is very specific and potentially location-dependent. This extra specificity is likely there so as to catch only the surreptitious installations of this file.
Apple routinely uses its Xprotect anti-malware tools introduced in OS X Snow Leopard to provide rudimentary protection against threats, and has expanded its efforts in OS X Mountain Lion with the introduction of Gatekeeper to allow users to restrict app installation to software from identified developers registered with Apple, or even to only apps installed through the Mac App Store.
Apple has also been using Xprotect to enforce minimum version requirements for plug-ins such as Java and Flash Player, forcing users to upgrade from earlier versions known to have significant security issues.