How to Remove the New Mac Flash Malware ‘Crossrider’

A variant of the Crossrider adware has been spotted in the wild. It’s Mac Flash malware and different than the original breed because it installs certain configuration profiles to stay persistent (via Malwarebytes).

[2017 McAfee Threat Report Shows Spike in Mac Malware]

Mac Flash Malware

This strain of Crossrider comes in the form of a fake Adobe Flash Player installer. Pretty typical for macOS and nothing we haven’t seen before. But this one is a bit different. As you install it, it automatically installs Advanced Mac Cleaner, which uses Siri’s voice to tell you it found a problem.

But behind the scenes, it locks Safari’s homepage to a Crossrider domain, and can’t easily be changed. This is due to a configuration profile, which is a method that IT admins use to control the behavior of Macs in bulk, like in a company.

Screenshot of Safari. This Mac flash malware changes your homepage.

This configuration profile forces Safari and Chrome (if you have it installed) to always open a page at chumsearch.com. You can’t change it via Safari preferences, but you can find the profile by going to System Preferences > Profiles.

How to Remove It

Luckily, removing it is fairly straightforward and involves a couple of Terminal commands. If you’re on macOS 10.12 or earlier, use the command:

sudo profiles -L

Although this works on macOS 10.13, another command may be better:

sudo profiles list

Screenshot of System Preferences. This Mac flash malware installs a configuration profile.

Then, look for an unfamiliar profile. In this case, the identifier is com.myshopcoupon.www. On macOS 10.12 or earlier, type:

sudo profiles -R -p com.myshopcoupon.www

On macOS 10.13:

sudo profiles remove -identifier com.myshopcoupon.www

Other than that, the malware doesn’t seem to do much damage to your system. Additionally, for most users fake Adobe Flash Players are easy to avoid. Flash really isn’t needed anymore, but if you do need it, make sure to only download it from Adobe’s official website.

[9 Alternatives for the Apple’s Mac Terminal App]

2 thoughts on “How to Remove the New Mac Flash Malware ‘Crossrider’

  • And the best way to get to Adobes official website is to go into system preferences. Flash Player. Click on the updates tab and check for updates. If there are any you can get to Adobes official download directly from that system preferences pane. Do not use a web browser because to many fake sites that offer Flash player downloads that are fake!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.