Last month, Ars chronicled a Mac app that brazenly exploited a then unpatched OS X vulnerability so the app could install itself without requiring people to enter system passwords. Now, researchers have found the same highly questionable installer is accessing people's Mac keychain without permission.
The adware taking these liberties is distributed by Israel-based Genieo Innovation, a company that's long been known to push adware and other unwanted apps. According to researchers at Malwarebytes, the Genieo installer automatically accesses a list of Safari extensions that, for reasons that aren't entirely clear, is stashed inside the Mac Keychain alongside passwords for iCloud, Gmail, and other important accounts.
Genieo acquires this access by very briefly displaying a message asking for permission to open the Safari extensions and then automatically clicking the accompanying OK button before a user has time to respond or possibly even notice what's taking place. With that, Genieo installs an extension known as Leperdvil. The following three-second video captures the entire thing: