Jump to content
MacXpert

False Positives: Safari Legacy Extensions

Recommended Posts

Several Safari Legacy Extensions, that are verified, hosted and signed(!) by Apple, are falsely reported by MBAM for Mac [1.3.1.628, Rules version: 398 (2019-07-08)] as a variety of Adware and PUP.

A full list of Safari Legacy Extensions is at https://safari-extensions.apple.com and in the attached Extensions.plist (to be found on any macOS in ~/Library/Safari/Extensions )

I tested with all Extensions in the category "Search": https://safari-extensions.apple.com/?category=search 
Of those, 7 were reported as false positives, see screenshot. 

False Positives.jpg

Extensions.plist.txt

Share this post


Link to post
Share on other sites

Just because they are signed with a valid Apple Developer ID doesn't mean they aren't what they have been identified as. There are lots of things in the App Store and Safari Extensions Gallery that produce adware or meet the PUP definition. I recognize several of the above as just exactly what Malwarebytes says they are and are not False Positives.

Share this post


Link to post
Share on other sites
44 minutes ago, alvarnell said:

Just because they are signed with a valid Apple Developer ID doesn't mean they aren't what they have been identified as. There are lots of things in the App Store and Safari Extensions Gallery that produce adware or meet the PUP definition. I recognize several of the above as just exactly what Malwarebytes says they are and are not False Positives.

Well, they are not signed by an "Apple Developer ID", but by Apple itself. 

Still you might be correct on some of them, and I didn't check all 7. Would you may be elaborate on those you recognize?

The one that made me stumble upon the issue was "AnySearch", which I did inspect in depth, and found to be obviously and unambiguously a false positive.
It was developed by Matt Swain (Source code on Github) and featured in some articles, because it adds search engine management to Safari (beyond the 4 options provided by Apple). You can still download it from the developer, but when you try to install it, Safari will instead propose to load the Apple-signed version from the (Legacy) Extensions Gallery. This is necessary, because unsigned extensions are now simply ignored. 

The file 'anysearch.safariextz' from Matt Swain's site has a different hash than 'AnySearch.safariextz' from Apple because of the signature. Both files check 100% clean on Virustotal (including Malwarebytes), while at the same time both of them are flagged "Adware.Crossrider" by MBAM for Mac. These are xar archives, and when you unpack them and compare the content itself, both are completely identical. The content consists of 4 PNGs, 1 Info.plist, 1 'Settings.plist', a 'global.htm' and a 'global.js' file. They are not very complex and it is easy to see, that they do exactly what the extension claims to do, without any detour. The provided selection of Search-engines is also unsuspicious, and the Extension has no entitlements in Safari. 

The Adware "Crossrider" on the other hand usually consists – as far as I could find out – of several critical components like Launch Agents, Profiles, background processes. None of that exists in this Safari Extension. One of the side-effects of "Crossrider" might be the modification of Safari's default search engine, but of course to a totally different one than those provided by "AnySearch". "Crossrider" does not even use the notorious fake search engine "anysearch.net" (that has nothing to do with Matt Swain's Extension), which could have been at least an excuse for the mixup. The verdict "Adware.Crossrider" is at least mislabeled. 

Unless Malwarebytes thinks, that the raw ability to configure a custom Search-engine (a feature present in most other browsers) already qualifies for malware, this is clearly a false positive. One that is confusing those safety- and privacy-aware users, who are looking for an elegant way to use e.g. Startpage.com as their default Search-engine in Safari. 

Does anybody have background information on the reasoning behind the detection of "AnySearch" or the other Extensions?

Share this post


Link to post
Share on other sites

I'm at a conference and unable to investigate in detail at the moment... but just looking at the names of those, most of them don't look legit. It's important to note that the mere presence of an extension on Apple's site doesn't mean it's good, any more than the presence of an app on the App Store means it's good. We detect things that can be found in both locations.

That said, I'll investigate this further next week when I'm back on a normal work schedule.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.