Searchpage has been targeting Windows machines for a while but it is rampant to macOS recently. Average users wouldn’t even know how the adware was installed because it is bundled with other free software that downloaded off of the Internet.

Searchpage won’t pop-up tons of ads but users could find these changes with the web browsers :

  • Default homepage become SearchPage.com, example as https://www.searchpage.com?uid=aa9e8d0a041f9724bdfdddb66ca14321&aid=3079&ts=1205887148&v=o0.2.
  • Search engine become SearchPage
  • The “new tab” functionality to launch the modified search portal page, usually the same one with the homepage
  • Loads into the web browser via an extension named SearchPage

It also installs searchpage.app in /Applications folder. Once searchpage.app runs, it installs Safari extension and hijacking popular web browsers.  The annoying part is this searchpage.app runs automatically by Launch Agent.

The corresponding searchpaged.plist installs in ~/Library/LaunchAgents folder. This makes it become an extremely hard job for average users to reset the hijacked web browser to normal.

Until now the binary of searchpage (sha256: 37e7998558e36c2e08d860593948ab518cb807c3ab4cc8d8522a14620d4dbb00) is not detected by any AV engines on Virus Total.

If querying searchpage.com on Virus Total, it isn’t detected either. But a lot of sub URL like http://www.searchpage.com/XXX  are detected by Google Safebrowsing and other AV engines.

 

Part of the file list of searchpage.app like below:

Using spctl, we can confirm app is not signed properly.

But from the signature of the embedded library, we found the certificate is still valid.

From strings of the binary, it hijacks the most popular three web browsers: Safari, Chrome and Firefox. But the behaviors are different from each other.

For Safari, it installs system profile and gains authorization to take control of Safari preferences.

And after the profile installed, average user can’t even try to manually reset homepage.

For Chrome, it changes homepage, search engine and startup page. Users can manually reset homepage and search engine. But startup page is not editable.

For Firefox, it changes homepage and search engine. Users can manually reset them before searchpage.app automatically launching and hijacking Firefox again.

Although it’s not an easy job to get rid of searchpage manually, we write this step by step guide of removing searchpage to help average users.

searchpage on macOS : dissecting a recently rampant adware
5 (100%) 1 vote