FacebookTwitterLinkedIn

MacOS Bundlore Virus (Mac)

Also Known As: MacOS Bundlore (Crossrider) adware
Type: Mac Virus
Damage level: Medium

What is MacOS Bundlore?

MacOS Bundlore (also known as Crossrider) or is a family of deceptive software installers that allow criminals to proliferate ("bundle") adware-type applications (such as CinemaPlusPro, FlashMall, MyShopcoupon, etc.) together with regular apps. Adware-type apps typically offer 'useful features' and most may seem legitimate.

After infiltration, however, these programs deliver intrusive advertisements and gather sensitive information.

MacOS Bundlore scam

MacOS Bundlore overview

Adware-type apps deliver intrusive advertisements using tools that enable placement of third party graphical content on any site. Therefore, coupons, banners, pop-ups, and other ads that often conceal underlying content, thereby significantly diminishing the browsing experience.

Furthermore, they can lead to malicious websites and execute scripts that download and install malware. Even a single click can result in high-risk computer infections. As mentioned, adware-type apps also collect user-system information.

Internet Protocol (IP) addresses, queries entered into search engines, URLs of visited pages and other information that may include personal details. It is common that those details are shared with third parties (potentially, cyber criminals). Third parties misuse shared information to generate revenue.

Research shows that apps from Bundlore family target details such as a unique identifier for the computer, user name, macOS version, Safari and Chrome version, list of entries in the Applications folder, list of installed agents and daemons, list of installed system configuration profiles and/or version of the installed antivirus software or other security software that is designed to remove malware. 

Also, apps from this family often get installed as browser extensions and collect data that is displayed on websites or is entered into forms on a websites. It is possible that those apps may be capable of accessing sensitive data, such as usernames, passwords, and credit card numbers.

Therefore, having data-tracking apps installed on your computer can lead to serious privacy issues or even identity theft. We strongly recommend that you uninstall all adware-type applications immediately.

Threat Summary:
Name MacOS Bundlore (Crossrider) adware
Threat Type Mac malware, Mac virus
Detection Names Avast (MacOS:Bundlore-CJ [Adw]), DrWeb (Adware.Mac.Bundlore.227), Kaspersky (Not-a-virus:HEUR:AdWare.OSX.Bnodlero.x), NANO-Antivirus (Riskware.Script.Adware.fvryso), Full List (VirusTotal)
Symptoms Your Mac became slower than normal, you see unwanted pop-up ads, you get redirected to shady websites.
Distribution methods Deceptive pop-up ads, free software installers (bundling), fake flash player installers, torrent file downloads.
Damage Internet browsing tracking (potential privacy issues), displaying of unwanted ads, redirects to shady websites, loss of private information.
Malware Removal (Mac)

To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner.
▼ Download Combo Cleaner for Mac
To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

There are hundreds of adware-type applications, all of which are very similar. As mentioned, these programs typically offer "useful features".

In doing so, potentially unwanted applications (PUAs) attempt to give the impression of legitimacy, however, their only purpose is to generate revenue for the developers. Rather than giving any real value for regular users, PUAs deliver intrusive advertisements and gather sensitive information, thereby posing a direct threat to your privacy and Internet browsing safety.

How did potentially unwanted programs install on my computer?

As mentioned, MacOS Bundlore's installers "bundle" adware. Therefore, due to the lack of knowledge and careless behavior of many users, potentially unwanted applications often infiltrate systems without consent. Developers do not disclose PUA installations properly. Therefore, adware-type apps are often concealed within various sections (e.g., "Custom/Advanced" settings) of the download or installation processes. Furthermore, many users are likely to rush these procedures and skip steps, thereby exposing systems to risk of various infections and putting users' privacy at risk.

How to avoid installation of potentially unwanted applications?

The key to computer safety is caution. Therefore, to prevent system infiltration by potentially unwanted applications, be very cautious when downloading/installing software and browsing the Internet. Select "Custom/Advanced" settings and carefully analyze each window of the download/installation dialogs.

Opt-out of all additionally-included programs and decline offers to download/install them. We advise you to download software from official sources only, using direct download links. Unofficial downloaders/installers should never be used, since developers monetize them by promoting ("bundling") PUAs.

As well as using the "bundling" method, adware developers often proliferate these programs using intrusive advertisements. Developers invest many resources into intrusive ad design, thereby making them seem legitimate, however, the ads often lead to dubious websites (gambling, adult dating, pornography, and so on).

If you encounter these ads, immediately eliminate all dubious applications and browser plug-ins. If your computer is already infected with PUPs, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate them.

Most commonly adware from "Bundlore" family install via fake Adobe Flash Player updaters:

Appearance of MacOS Bundlore scam (GIF)

List of .plist files modified by MacOS Bundlore virus:

  • ~/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.Extensions.plist
  • ~/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist
  • ~/Library/Preferences/com.apple.Safari.SandboxBroker.plist
  • ~/Library/Preferences/com.google.Chrome.plist
  • ~/Library/Safari/Bookmarks.plist
  • ~/Library/Safari/Extensions/Extensions.plist

List of domains related to MacOS Bundlore virus:

  • auctioneer.50million[.]club
  • cdn.macmymacupdater[.]com
  • cdn.mycouponsmartmac[.]com
  • cdn.myshopcouponmac[.]com
  • events.blitzbarbara[.]win
  • events.macinstallerinfo[.]com
  • events.mycouponsmartmac[.]com
  • events.ponystudent[.]com
  • otcct.beforeoctavia[.]site
  • secure.mycouponsmartmac[.]com
  • service.ezsoftwareupdater[.]com
  • service.macinstallerinfo[.]com
  • software.macsoftwareserver05[.]com

List of adware-type applications relating to MacOS Bundlore virus:

BestSmart Shoppers BestWebShoppers
CoolShopper Couponizer
Easy-Shopper EasyShopper
FlashMall HotShoppy
LiveShoppers MyCouponize
MyShopBot MyShopcoupon
MyShopMate ShopTool
Shopperify Shoppinizer
Smart-Shoppy SmartShoppy
SurfBuyer SurfMate
WebShoppers WebShoppy

Update September 13, 2019 - Cyber criminals have updated MacOS Bundlore a number of times since it first release and, thus, its behavior has changed.

First of all, MacOS Bundlore uses a different technique to manipulate web browsers' search settings. In the past, MacOS Bundlore was using malicious browser extensions. Since MacOS 10.13 release, however, MacOS Bundlore achieves this by creating new device profiles, because the previous method is no longer working due to newly-added MacOS security features.

Now it is worth mentioning that MacOS Bundlore performs a chain of actions to inject rogue applications into the system. Initially, a bash script ("Install.sh") connects to a remote server and downloads an archive containing an app named "mm-install-macOS".

Once executed, this app connects to a remote server and downloads/executes scripts necessary to install unwanted applications. Now it is worth mentioning that password of the user is necessary for MacOS Bundlore to communicate with the system.

In order to extract the password, MacOS Bundlore prompts a pop-up window pretending to be MacOS and asks user to enter the password. Once entered, the password is saved and used for further actions. MacOS Bundlore consists of three main components:

1) MyMacUpdater (responsible for communication with Command & Control (C&C) server in order to keep the infection up-to-date); 2) WebTools (responsible for bypassing MacOS security, changes of browsers' behavior, persistence achievement, and installation of ad-delivering tools), and; 3) ad-delivering tool which injects JavaScript into browsers by using AppleScript.

Update June 29, 2020 - MacOS Bundlore has been updated in order to target the newest version of the Safari browser. Since Safari 13 is longer compatible with the old Safari Extension format (.safariextz), developers of both legitimate and questionable software have been pushed to update their products in accordance. These changes in formatting have not escaped the notice of MacOS Bundlore developers. Several new installers have been released containing payloads compatible with the new Safari App Extension format (.appex).

IMPORTANT NOTE! As mentioned above, MacOS Bundlore uses device profiles to alter web browsers' behavior. Therefore, before taking any further removal steps, perform these actions:
1) Click the "Preferences" icon in the menu bar and select "Profiles"

pavadinimas preferences step 1

2) Select the "AdminPrefs" profile and delete it.

pavadinimas preferences step 2

3) Perform a full system scan with Combo Cleaner anti-virus suite.

After performing these actions, you can proceed with further removal steps for this browser hijacker.

Instant automatic Mac malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Quick menu:

Video showing how to remove adware and browser hijackers from a Mac computer:

Potentially unwanted programs removal:

Remove PUP-related potentially unwanted applications from your "Applications" folder:

mac adware removal from applications folder

Click the Finder icon. In the Finder window, select “Applications”. In the applications folder, look for “MPlayerX”,“NicePlayer”, or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.

Remove adware-related files and folders

Mac Go To Folder step

Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...

Mac removing related files and folders - step 1Check for adware generated files in the /Library/LaunchAgents/ folder:

Mac go to /Library/LaunchAgents - step 1

In the Go to Folder... bar, type: /Library/LaunchAgents/

Mac go to /Library/LaunchAgents - step 2

In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.

Mac removing related files and folders - step 2Check for adware generated files in the ~/Library/Application Support/ folder:

Mac go to /Library/Application Support - step 1

In the Go to Folder... bar, type: ~/Library/Application Support/

Mac go to /Library/Application Support - step 2

In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.

Mac removing related files and folders - step 3Check for adware generated files in the ~/Library/LaunchAgents/ folder:

Mac go to ~/Library/LaunchAgents - step 1

In the Go to Folder... bar, type: ~/Library/LaunchAgents/

Mac go to ~/Library/LaunchAgents - step 2

In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.

Mac removing related files and folders - step 4Check for adware generated files in the /Library/LaunchDaemons/ folder:

Mac go to /Library/LaunchDaemons - step 1

In the "Go to Folder..." bar, type: /Library/LaunchDaemons/

Mac go to /Library/LaunchDaemons - step 2

In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.

Mac removing malware related files and folders - step 5Scan your Mac with Combo Cleaner:

If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.

Mac remove malware with Combo Cleaner - step 1

Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.

Mac remove malware with Combo Cleaner - step 2

After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.

Remove malicious extensions from Internet browsers

Safari iconRemove malicious Safari extensions:

Removal of malicious extensions in Safari - step 1

Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".

Removal of malicious extensions in Safari - step 2

In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.

Google Chrome logoRemove malicious extensions from Google Chrome:

Removal of malicious extensions in Google Chrome - step 1

Click the Chrome menu icon Google Chrome menu icon (at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".

Removal of malicious extensions in Google Chrome - step 2

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.

Mozilla Firefox logoRemove malicious extensions from Mozilla Firefox:

Removal of malicious extensions in Mozilla Firefox - step 1

Click the Firefox menu firefox menu icon (at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".

Removal of malicious extensions in Mozilla Firefox - step 2

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.

Frequently Asked Questions (FAQ)

What harm can adware cause?

Adware can decrease browsing quality and system performance. Significant threats are posed by content endorsed through adware-delivered ads (e.g., system infections, privacy issues, financial losses, etc.). Additionally, advertising-supported software usually has data-tracking abilities – hence, it is considered a privacy threat.

What does adware do?

Adware is designed to run intrusive ad campaigns. The software's primary functions include displaying adverts on various interfaces, generating redirects, and collecting private data.

How do adware developers generate revenue?

Adware developers profit mainly via affiliate programs by endorsing various websites, apps, extensions, products, services, etc.

Will Combo Cleaner remove adware?

Yes, Combo Cleaner will scan your device and eliminate all adware-type applications that are installed. Keep in mind that manual removal (performed without security tools) might not be ideal. In some cases, after the advertising-supported software has been manually removed – various leftovers (files) stay hidden within the system. The remaining components can continue to run and cause issues. Therefore, it is paramount to eliminate adware and other unwanted software thoroughly.

▼ Show Discussion

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
MacOS Bundlore (Crossrider) adware QR code
Scan this QR code to have an easy access removal guide of MacOS Bundlore (Crossrider) adware on your mobile device.
We Recommend:

Get rid of Mac malware infections today:

▼ REMOVE IT NOW
Download Combo Cleaner for Mac

Platform: macOS

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.