Fake Safari and Chrome Updates Infecting Macs with AMOS Malware

First spotted in early 2023, a potent malware called Atomic macOS Stealer (AMOS) has become a growing threat. It’s a powerful piece of malware that targets Apple users and tricks them into installing the software on their machines. Once installed, it can steal iCloud Keychain passwords, credit card information, files, and more. And now, in the latest iteration, AMOS is being delivered to Mac users via fake Safari and Chrome updates.

How AMOS Malware is injected into Macs

The early signs of AMOS threats were reported in March and April. In September, the security researchers at Malwarebytes discovered that Mac users were tricked into installing AMOS via fake Google Search Ads. Now, Malwarebytes reports that AMOS is injected into Macs using compromised websites to deliver fake Safari and Chrome updates. This fake browser update chain is labeled as “ClearFake”, and was previously seen against Windows as well. Let’s see how to spot fake updates and avoid the AMOS threat on Macs.

Fake Safari and Chrome Updates

Here’s a fake Safari update that mimics the official website. It’s quite easy for Apple users to spot it as there are outdated Safari and iCloud icons. However, if someone is new to the Apple ecosystem, it’s easier for them to fall for this. So, beware.

Below is a more convincing Google Chrome update template that closely resembles the authentic one.

How to avoid AMOS Malware on Macs

While the AMOS malware is a threat, the good news is that it is totally avoidable. Here’s how:

• First, never download any software updates from unknown or untrusted sources. Rather, make sure to only update Safari directly in your Mac’s System Settings. For Chrome, only rely on the Chrome app or Google’s official website. 
• If an app asks you to bypass macOS Gatekeeper protections, be very cautious and simply skip that app. 
• If you’re using a new website, check when it was created, and don’t trust any random pop-ups, ads, or download triggers.