Mac Defender scareware variant MacGuard installs without admin password

Security experts are warning Mac users of a new variant of the Mac Defender scareware which does not require its victims to type in their administrator password to install.

Mac security firm Intego, which first revealed details of the original Mac Defender scareware, explained in a blog post that it has discovered MacGuard, a similar fake anti-virus product which also targets Mac users via blackhat search engine optimisation (SEO) techniques.

"Unlike the previous variants of this fake anti-virus, no administrator password is required to install this program. Since any user with an administrator account - the default if there is just one user on a Mac - can install software in the Applications folder, a password is not needed," explained Intego on its Mac Security blog.

"This package installs an application - the downloader - named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user's Mac, so no traces of the original installer are left behind."

The program then works like a classic scareware scam, with the MacGuard application running to look like an authentic virus scanning program.

MacGuard will then occasionally run 'scans' and inform the user that their PC is infected, requiring them to submit their credit card details to purchase a licence for the software, which will supposedly protect their computer.

Intego has labelled the MacGuard threat as a 'medium' risk "in part because the SEO poisoning has been very efficient in leading Mac users to booby-trapped pages, but also because no password is required to install this variant".

The incident yet again confirms the increasing risks to Mac users as cyber criminals gradually turn their attention to a platform which was until recently largely ignored owing to its low market share.