Airo Labs expose: (another) Apple support scam generated by an Adware

By: Omer Zohar, VP Research & Labs @AiroAV (Airo Security)

February 18th, 2019

Airo Lab research discovered a sophisticated fraud involving fake Apple support services, tricking consumers into exposing their personal details, and buying products and services they do not really need at a bloated price.

Airo Lab’s research exposed an Apple support scam, generated by an Adware variant called ‘BundloreX’. A scam that targets MacOS, both on Safari and Chrome browsers. Combining all malicious adware tactics such as phishing, scareware, ads injections and impersonating Apple into one fraudulent method. If you’re one of those who used to believe that the implications of Adware are nothing more than annoying ads; this report might change your mind.

Let us walk you through the flow

You start by browsing what could be a legitimate website. In this case, an online streaming website broadcasting a soccer match. A popup on top of the video stream states that the ‘flash plugin’ had crashed and required a (fake) update in order for you to continue watching the match. This kind of messages is made to look as if it is a system or browser notification, tricking you into believing that it’s just a standard and necessary update process.

A popup on top of the live stream video states that the ‘flash plugin’ had crashed

Once clicking the “Update Now” button, a supposedly “official” flash download page will be launched with a download/update button. Easy to be confused, but this page is not the official Adobe Flash Player page, though if you pursue the flow, you may end up having a real Flash Player on your Mac.

Fake Adobe Flash Player popup

After downloading the file, an installer is launched, posing as a “Flash Player” set up. But the sharp observers among us will notice that four (4) other programs will be installed as well.

Installation screen showing the 4 other programs that will be installed in addition

As you can see in the screenshot, the Adware installer will bundle with the Flash Player, also a Media Player, MyShopCoupon (an Adware), WeKnow (also an Adware) and Mac Cleaner Pro (a Scareware).

Congratulations, you’ve been infected with MyShopCoupon

Once installed, MyShopCoupon runs a process in the background, constantly injecting ads to your Safari / Google Chrome browsing experience. One of the ads you will encounter is a new tab ad, popping up and claiming an issue with your Mac that requires you to quickly contact Apple Support via the number provided to you in the ‘ad’.

MyShopCoupon’s tactic for hijacking URLs

MyShopCoupon is a daemon, i.e, a process that runs silently in the background while the user is browsing on Google Chrome or Safari. MyShopCoupon runs a python sub-daemon, which in turn launches a command to run a script (“osascript”) every two seconds. It communicates with its subprocess via Unix pipes, transferring the content of the page to be injected in the browsers.

Myshopcupon process tree flow

The osascript is responsible for injecting ad URLs into visited sites. The moment an infected user clicks a link, a second new tab is launched (an ad), and a malicious pop-up ad is being prompted, tricking the user into believing that their Mac is being infected.

osascript browser ad injection

The (fake) ‘Apple Support’ scam

Funny enough, this ad, posing as a browser notification, now make a true statement, saying there is Adware infecting your Mac, as both the Adware and the alert are generated by the same sneaky source. The Adware BundloreX first created the problem, and now offers you their devious solution!

Fake Apple support pop up screen

If you click the OK button, you’ll be redirected to the following page, operated by a 3rd party company that probably offers tech support, but makes a huge effort to make it look as though they are the official Apple Support. Two things are certain: One, the process is not legit. And two, this is not an official Apple message or support.

Fake page disguising as an Official Apple Support page

For further investigation, we asked the “Apple” representative/bot a few general questions and got general answers about their assumption that our Mac was infected by a virus.

Then he offered to remotely take over our computer for a further look and sent a remote access program link (LogMeInRescue). Once ran, the representative was connected to our computer and started browsing around, and closing all open apps (including our screen recording app, so we had to take the below photos with our mobile).

Then he found Mac CleanUp and MyShopCoupon and highlighted them, and also the plist agent that was also installed earlier by BundloreX, and explained that the search hijack was done by MyShopCoupon.

Once done, the rep said that our computer was being infected by a malicious and dangerous ‘adware’.


We asked if he can help us remove it, and of course, the answer was ‘yes’. He asked for our personal details (name, phone number, address, email). Then, we were asked to choose the ‘protection’ program (1, 3 or 5 years) and pay by phone by providing our credit card details.

We ran a small investigation to better understand who’s behind this:

We checked this company’s phone number, we found that it led to a company called PCMagic (mypcmagic.us), which provides IT services and remote assistance for PC. The domain was also not an Apple domain and was privacy protected.

So, what we have learned?

Airo Labs has once again uncovered a sneaky tactic used by malicious adware attackers to con users into buying services and products they do not need, do not want and did not ask for.

For questions or contribution of information contact us here.

Subscribe to our blog

Get Airo

Try Airo AV and Airo Web Protection

Try Airo