Some Mac threats mimic real system alerts to dupe victims into making blunders, as is the case with the surge of “Your computer is low on memory” warnings.
It doesn’t take a rocket scientist to predict the average Mac user’s response to encountering a pop-up alert that says, “Your computer is low on memory”. The most likely feeling is anxiety, coupled with an impulse to sort things out immediately. The notification kind of hints at the first step by providing the following recommendation: “To free up some memory, please close a few applications”. No matter what the reaction is, the notification will just hang there until the user clicks the “Close” button. This is exactly what the operators of several Mac malware families anticipate, as it instantly triggers an action that doesn’t match the victim’s true intentions.
Here’s the thing: sometimes, “Your computer is low on memory” alert on a Mac cloaks a dodgy permission request that literally lurks behind it. In this situation, the above-mentioned “Close” option overlays an “OK” button in a dialog that asks the user to allow access to control Safari, another web browser, or an arbitrary application. As a result, clicking what seems to be an innocuous thing will end up granting a strain of malware certain privileges it should never get in an ideal world.
This clever trick is pulled by a handful of Mac malware apps. Several examples are MacSecurityPlus, Spaces, and pests from the so-called AdLoad family. The other usual suspects are viruses that redirect web browsers to Bing or Yahoo. In this cesspool, the most active threats currently are SearchMarquis, SearchBaron, and SafeFinder. Since these samples are focused on tweaking the behavior of web browsers, they simulate the low memory condition to hoodwink the user into giving them permission to perform actions within Safari, Google Chrome, and Mozilla Firefox. By the way, this also provides access to documents and data related to the browser.
The core malware gets into a Mac behind the user’s back. It comes bundled with a safe-looking free application whose installer conceals the fact that there are extras in the same package. The infection happens unless the would-be victim opts out of the express setup mode. Then, the harmful code adds its launcher to the Login Items and creates a new configuration profile to extend its control of the target areas of the Mac. Specific browsers undergo the biggest hit, with their default search settings being taken over. The attack may additionally involve a second-stage payload, which is a browser add-on that enhances the Internet traffic reorganization effect.
It’s easy to distinguish between security-related and regular reasons for the onset of “Your computer is low on memory” alerts. When no malware is involved, the amount of available RAM shown in the Activity Monitor won’t be even close to a drain. If plagued by a Mac threat that fakes these warnings, the machine won’t get back to its normal state until the user applies a cleaning technique outlined below.
Uninstall Mac malware that displays fake “Your computer is low on memory” pop-ups
Removing Mac threats that falsify system alerts is quite a challenge due to their high persistence and stealth. The good news is that you can use a tried-and-tested cleaning technique to overcome these obstacles. The steps below will help you out.
- Expand the Go pull-down menu in the Apple menu bar, select Utilities, and double-click the Activity Monitor icon.
- Look for a process that has nothing to do with Apple services or legitimate apps you are using. An unfamiliar icon and a significant amount of CPU usage are a few attributes of a malicious executable.
- Select the suspect entry and click the Stop (X) button, which is the leftmost one in the upper toolbar. Click Quit in the follow-up dialog to terminate the unwanted process.
- Open the Finder and select Applications in the “Favorites” area. Spot the misbehaving app and move it to the Trash.
- Use the above-mentioned Go menu to open the Go to Folder window.
- Enter /Library/LaunchDaemons in the search box and press Enter or click the Go button.
- Check the LaunchDaemons folder for items that seem out of place. Move the likely culprits to the Trash.
- Use the same method to access the ~/Library/LaunchAgents (with the tilde symbol at the beginning), /Library/LaunchAgents, and ~/Library/Application Support folders. Find potentially unwanted items in each directory and delete them.
- Open System Preferences and pick Users & Groups. Hit the tab called Login Items. Select the app that shouldn’t be running at each login and use the built-in controls to delete it from the list.
- When on the System Preferences screen, select Profiles. Normally, no configuration profiles should be installed unless you are using a company-issued Mac. Choose the redundant entry added by malware and click the “minus” sign to get rid of it.
- Empty the Trash folder.
Now that you have uninstalled Mac malware that’s setting “Your computer is low on memory” pop-up activity in motion, there are several more things you need to do at the level of your web browsers that are probably still affected.
Declutter your web browser
- Purge Safari of toxic junk
- Head to Safari Preferences, click the Privacy tab, and select Manage Website Data. Then, click the Remove All button.
- Under Safari Preferences, go to the Advanced tab and activate the option saying Show Develop menu in menu bar.
- Click Develop in the upper menu bar and select Empty Caches in the drop-down list.
- Open the History menu and click Clear History.
- Follow further prompts to remove all browsing history.
- Restart Safari.
- Revert to original Google Chrome settings
- Open Chrome, click Customize and control Google Chrome, and select Settings.
- Click the Advanced button in the sidebar, select Reset settings, click Restore settings to their original defaults, and confirm the action.
- Restart Chrome.
- Reset Mozilla Firefox
- Launch Firefox, click the Open Application Menu button, select Help, and click More Troubleshooting Information.
- Click Refresh Firefox and follow on-screen prompts to clear unwanted browsing data.
- Restart Firefox.
Surf the web wisely
The likes of “Your computer is low on memory” pop-up virus are very easy to catch and equally difficult to remove from your Mac. Moreover, they can cause more serious consequences than messing around with web browsers. Personal data harvesting is an example of what they usually do behind your back. That being said, you would be better off avoiding these baddies down the line.
The top tip is to be a little paranoid about software installers available outside of the App Store. There is always a chance that these items are trickier than they appear. At the very least, exit the “express” setup mode to see the list of promoted programs and uncheck suspicious ones. Ideally, you should stick with official application marketplaces that use rigid checks to keep shady code away.