Gokul Krishna P

Search Page Injection Malware on MacOS

Recently, I was in a situation where I was being returned weird Google search results (in Chrome) where more ads have been pumped in to my searches which were not at all relevant. At first, I ignored but later, when it became a headache, literally impossible to get a proper search result, I thought I would dig in a bit and find what exactly is causing the issue.

I then took FF and tried to reproduce the same, exactly the same way Google search responded, with a whole bunch of ads. On top of that, whichever links I take started to respond at a slower pace which was more of like how it comes when I use a proxy. I double checked with my extensions that I had in Chrome and FF, but to no avail I was able to find.

I had tried updating a few apps which were pending for a long time but even that did not happen because of two reasons, one was because of no internet and the other, less space in my hard disk. I was pretty sure that there was enough space for things to get downloaded and moreover, my internet was working fine in all other devices.

I then went to the Network section under System Preferences

only to find that, in the advanced section, two of the proxies were enabled.

So just to make things double sure, I deleted all the known Wi-Fi’s and then reconnected again. To my surprise, I was shown the following pop up with the message spi is trying to modify the system network configuration (although in the image, the message appears to be different as I wasn’t able to capture the screenshot then. Source),

A little bit of Googling helped me to find that it was indeed a malware which not only injects ad into the webpages that you search for but also adds a lot of junk files into your system.

To delete this, only a few steps are required:

Revoke the proxy ticks from the proxy tab as shown above, delete the spi.app from the applications tab in the Finder and in the terminal, type in the following commands:

rm -rf ~/Library/LaunchAgents/spid.plist

rm -rf ~/LaunchAgents/spid-uninstall.plist

rm -rf /Applications/spi.app

rm -rf ~/Library/SPI/

This should do along with a reboot.

Thanks securemacos for the help.