Gone are the days when people were complacent with their Mac’s security. People used to claim that Macs were safe since there were no malware or viruses that could penetrate it. However, things change and technology evolves — that makes Macs susceptible to threats. One sophisticated threat that is now emerging is a Trojan named UpdateAgent.

What is UpdateAgent?

UpdateAgent is a basic malware that first appeared in September 2020 and has been tracked by Microsoft. The original purpose of the malware is to steal information. But this malware has  other tricks up its sleeve. As it evolves, UpdateAgent will have the capability to distribute payloads such as adware.

UpdateAgent can impersonate legitimate software and take advantage of Mac functionalities. It also has the power to bypass Apple’s Gatekeeper, which was created to ensure only trusted apps can be used and on Mac Devices. This malware can also use existing permissions to get rid of evidence that it would otherwise leave.

Timeline of UpdateAgent

2020: September – December

First appearance of the malware. Its capabilities and powers rely on acquiring basic information. It can only collect certain system information details such as product names and versions.

2021: January – February

The UpdateAgent has developed secondary powers. It now has the capability to use payloads like .dmg files.

March

The malware has reached its third form. Instead of using payloads like .dmg, it now uses .zip files. It has also learned a new trick where it can bypass Gatekeeper by getting rid of a downloaded file’s “quarantine attribute”. It has also acquired the means with which to create a PLIST file that is added to the LaunchAgent folder.

August

UpdateAgent further evolves and obtains more capabilities. It can now scan and collect SPHarwaretype and System_profile information.

October

Another power-up has been achieved by the malware. It can now validate whether a downloaded app is within the database of “Quarantine Events”. It also has the function to use existing user profiles to run commands requiring Sudo access and the ability to modify Sudo list.

How Does the UpdateAgent Work?

1. Arrives posing as legitimate software, distributed via drive-by-compromise techniques
2. Performs recon and collects system information
3. Leverages existing user privileges to create folders and add permissions
4. Downloads Adload adware from public cloud infrastructures
5. Gatekeeper is bypassed by removing quarantine attributes of downloaded files
6. Modifies and adds PLIST files using PLisBuddy
7. Adds the modified PLIST to created LaunchAgents and LaunchDaemon folders
8. Sends collected information
9. Covers its tracks, getting rid of all traces on the device

How To Detect UpdateAgent on Mac?

Look for signs of Adware infection:

• Ads appears in strange places on webpages
• Frequently visited sites display differently/incorrectly
• Web search results direct you to sites that you don’t want to visit
• There’s a sudden change in your web browser startup page

Run a Full Scan:

• Have a mac-focused antivirus or anti-malware tool on your device

We strongly recommend Antivirus One for your Mac. Antivirus One offers live antivirus monitoring to protect your Mac from adware, ransomware, spyware, and all kinds of malware attacks. It provides features such as:

• Real Time Detection
  Protects your Mac against all threats 24/7
• Virus Scanner
  Quick scan, customize scan, or deep scan files and locations to safeguard every part of your disk
• Virus Cleaner
  Automatically remove viruses to secure your system and privacy
• Adware Cleaner
  Gets rid of pop-ups, adware, and browser hijackers, so you can browse safely
• Privacy Cleaner
  Hides your information to prevent others from identifying you, especially after visiting websites
• Safe Search
  Flags safety ratings of every Google search result
• Web Threat Protection
  Prevents users from visiting phishing websites

How To Avoid UpdateAgent on Mac?

• Avoid suspicious sites

Stay away from forums and sites that deal in illegal content and pirated software. If a site asks you to download or install an update for Adobe Flash, it is best avoided.

• Download from reputable sources

Only download apps from the App store to ensure that the app is verified. Alternatively, be sure to download directly from the official site of the app developer.

• Don’t use pirated software

Never download pirated software or “cracks”, which are not safe. Look for reputable open-source software that is an alternative for the paid version that you wish to have.

• Update your Mac

Ensure that you frequently install updates on your Mac device. This will ensure that any possible vulnerabilities will be patched. Stay ahead of the curve!

• Think before you click

Make sure to carefully read any text regarding the installing of apps and products. If your Mac provides a warning, listen to it.

As ever, if you’ve found this article an interesting and/or helpful read, please do SHARE it with friends and family to help keep the online community secure and protected.