New scam: AMOS malware is distributed via fake browser updates

Der "Atomic macOS Stealer“, called AMOS for short, is one Malware, which is designed for the Apple Mac and its operating system macOS. The malware is intended, among other things, to steal iCloud keychain passwords as well as browser data, files and cryptocurrencies. Now there are reports of a new scam that is intended to bring the Atomic macOS Stealer to Apple computers: Infected websites display an update notice that says that the site can only be accessed with the latest version of the browser (Safari, Chrome , etc.). The download button offered then leads to AMOS infection. Here you can find out how to get yours Browser updated manually and securely. 

ClearFake campaign targets macOS and Windows computers

The “ClearFake” campaign to spread malware across the web may be familiar to some people from Windows malware. With the new scam to smuggle the AMOS software onto Macs, it is now spreading to macOS. Malwarebytes, among others, reports on this in one Blog. Due to its technical effort, the ClearFake campaign is described as “the most widespread and dangerous social engineering method“ of the malware industry. In order to display the correct fake website, the location, browser and operating system are requested. Malwarebytes provides the following examples of fake update notices for Safari and Chrome.

The fakeness of the alleged Safari update can already be recognized by the outdated symbols for iCloud and the browser itself:

Source: Malwarebytes
Source: Malwarebytes

The fake for the alleged Chrome update is a little better done and not so easy to recognize:

Source: Malwarebytes
Source: Malwarebytes

What happens if you download the alleged “update”?

According to Malwarebytes, the respective buttons download a dmg file, which is then opened and its contents installed. So if the alarm bells haven't gone off yet, they should ring now at the latest. In most cases, you don't have to reinstall the program to install a browser update (Chrome is an exception, see below). A dmg file, such as when installing a completely new program for the first time, is often not necessary. The AMOS installer also asks for the password - once entered, it of course ensures that you give the malware a free hand with admin rights.

What to do if the web browser displays an update notice?

If you suddenly see an update notice while surfing the web, you should ignore it for now and see what page you actually accessed. It doesn't always have to be a dubious gambling or adult site. Maybe you came to the site through an infected Google ad (another AMOS scam) or entered a URL incorrectly. If you get a notice like this, it's better to check the browser settings to see whether an update is available instead of loading the alleged update using the button on the fake website.

How do I find an official Safari update?

The latest version of Safari is basically already included in macOS. If the operating system is up to date, then Safari will also have the latest version. However, if there is an out-of-order update, you can find it here: Apple logo () -> System Settings -> General -> software update. You can also find it in the App Store in the left sidebar Updates see if there is a Safari update there. If it doesn't appear in both locations, then you don't need an update.

How do I find an official Chrome update?

The Chrome browser shows itself under macOS when it needs to be updated. The three-dot menu (on the far right of the address bar) is then highlighted in red and “Update” is written next to it. If you click on it, you can access the first item in the menu that is called up Google Chrome is outdated ring. There are now two options here: either an update is loaded and installed when you click on it or you go to the official Chrome download page (https://www.google.com/chrome/). The download offered there can be used without any concerns.

If Chrome needs an update, it will be displayed in the browser UI, not suddenly on a website. Images: Sir Apfelot
If Chrome needs an update, it will be displayed in the browser UI, not suddenly on a website. Images: Sir Apfelot

How do I find an official Firefox update?

If you use the Firefox browser on the Apple Mac, you can install a possible update via the menu Firefox -> About Firefox check. The download and installation of the update is also carried out in the information window that opens. You then have to restart the browser. If you then look again in the info window, it should show that Firefox is in the latest version.

Firefox offers its own window for updating. Here, too, you should not fall for website displays. Images: Sir Apfelot
Firefox offers its own window for updating. Here, too, you should not fall for website displays. Images: Sir Apfelot

How do I find an official Opera GX update?

In Opera GX you click into the menu Opera GX -> Update and restore. An automatic check for possible updates should also run there. Once the update has been downloaded and installed, this browser must also be restarted. The menu then says “Opera is up to date”.

Opera GX offers a menu for checking updates. This is also easy to use. Images: Sir Apfelot
Opera GX offers a menu for checking updates. This is also easy to use. Images: Sir Apfelot

How do I find an official DuckDuckGo update?

If you use the DuckDuckGo browser on the Apple Mac, click on in the menu bar DuckDuckGo -> Check for Updates. If a new version is available, you will be offered its description and the “Install Update” button underneath. Use this to update the browser. You then confirm the whole thing with the “Install and Relaunch” button in a smaller window.

The DuckDuckGo web browser shows in its own window whether and which update you need. Images: Sir Apfelot
The DuckDuckGo web browser shows in its own window whether and which update you need. Images: Sir Apfelot
Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership would support.

1 comment on “New scam: AMOS malware is distributed via fake browser updates”

  1. Thanks for all the information! Finally a post that not only highlights the problem but also provides a solution to manually check for updates if you opt out of these fake notifications. And you even touch on some lesser-known browsers. Great!

Post a comment

Your e-mail address will not be published. Required fields are marked with * marked

In the Sir Apfelot Blog you will find advice, instructions and reviews on Apple products such as the iPhone, iPad, Apple Watch, AirPods, iMac, Mac Pro, Mac Mini and Mac Studio.