How to detect and remove CrossRider malware on Mac
Before we start
Having spent some years coding applications for macOS, we’ve created a tool that everybody can use. The all-round problem fixer for Mac.
So here’s a tip for you: Download CleanMyMac to quickly solve some of the issues mentioned in this article. But to help you do it all by yourself, we’ve gathered our best ideas and solutions below.
Adware is a type of malware that, once your Mac or PC is infected, displays adverts for software and services that are, at best, highly questionable on websites you visit or directly as pop-up windows on your computer. CrossRider is a type of adware that comes in many different guises.
What is the new CrossRider variant?
Discovered in 2018, this new CrossRider variant is similar to other versions of CrossRider in that it is bundled with potentially unwanted programs (PUPs), such as Advanced Mac Cleaner, and masquerades as an apparently legitimate download. In this case, the download is a fake Adobe Flash updater, and the process involves a user arriving at a website that tells them they need to update Adobe Flash and supplying a link. If the user clicks the link, it downloads the fake Flash updater and installs the adware.
The new CrossRider variant also installs a profile in System Preferences called AdminPrefs. This profile, which has also been seen in browser hijackers like Any Search, forces Safari and Chrome to redirect their homepage to chumsearch.com. The profile also makes it impossible to change the homepage settings in both browsers without first removing the profile.
How to tell if CrossRider has infected your Mac
The most noticeable change will be what you see as soon as you launch Safari or Chrome since your homepage will have changed from whatever you had it set at to chumsearch.com.
There’s no evidence that CrossRider will do any damage to your Mac. However, by redirecting your homepage, it allows hackers to gather information about the sites you visit and what you do on those sites. It also allows it to display adverts and otherwise make your browsing experience much less enjoyable. It could also slow down your Mac by consuming resources, such as RAM, to display ads or for other purposes.
The latest CrossRider variant uses a fake Adobe Flash Updater to install itself on your Mac. To avoid it and other malware, you should never click on a link in any window that tells you that you need to update Flash. Here's how it tries to sneak onto your Mac:
If you still have Flash installed on your Mac and want to keep it, click on the Flash Player pane in System Preferences, and choose the Update tab. If you haven’t got it set to “Allow Adobe to Install Updates,” choose “Check for Updates.” That’s the only method you should use for updating Flash. If you don’t use it or don’t know if you use it, uninstall it.
How to remove CrossRider manually
Step 1: Remove it from your Applications folder
1. Go to your Applications, locate Advanced Mac Cleaner (since CrossRider is bundled with it), and drag it to the Bin. Empty the Bin.
2. Click on the Apple menu and choose System Preferences.
3. Look in the bottom row for a pane called Profiles and click on it.
4. Click on AdminProfiles and press the “-” at the bottom left of the window.
This will remove malicious admin profiles installed by the virus.
Step 2: Remove CrossRider from Safari
Even after you’ve trashed the Advanced Mac Cleaner app and removed the AdminProfiles malware, your Safari settings are still set to redirect your homepage to chumsearch.com. To change that, do the following:
1. Launch Safari and choose Preferences from the Safari menu
2. Choose the General tab, and in the Homepage text box, enter the name of the website you want to use as your browser homepage.
3. Now, go to the Search tab and change the search engine to the one you want to use as the default
Step 3: Remove CrossRider from Chrome
1. Launch Chrome.
2. Do one of the following:
a: Choose the Settings icon (three dots) on the left of the window.
b: Type “chrome://settings” into the address bar.
3. Choose “on startup” and check the button next to “Open a specific page or set of pages.”
4. Click the More button (three dots on top of each other).
5. Select “edit” and type the address of the homepage you want to use.
6. Click Save.
7. Go to Settings again and this time, choose “search engine.”
8. Select “manage search engines” and press the More button next to chumsearch.com, then choose “delete.”
9. Click on the dropdown menu next to “Search engine used in address bar” and pick the search engine you want to use.
How to remove Crossrider in a click
That’s quite a long process with several steps. Thankfully, there is an easier way. CleanMyMac X has a malware utility that recognizes CrossRider and can remove it from your Mac at the press of a button. If the CrossRider virus is on your Mac, you should see the following alert:
CleanMyMac’s malware database is updated regularly, and so it knows about all the latest malware threats. When you select it and press Scan, it scans your Mac for malware. If it doesn’t find anything, it gives your Mac a clean bill of health. If it does find something, it shows you the entire list and allows you to either remove it at the press of a button or review the results first and then remove it. Because it knows where all the different elements of each piece of malware are stored, it can remove them all in one go.
Just follow these steps:
1. Download and install CleanMyMac X, then launch it.
2. Choose the Malware Removal utility.
3. Press Scan.
4. Press Remove.
The latest CrossRider variant masquerades as an update to Adobe Flash and is bundled with an app called Advanced Mac Cleaner. It also installs a Profile in System Preferences that changes settings in Safari and Chrome in order to redirect your browser homepage.
To avoid downloading it, never update Flash from anywhere else but its own System Preferences pane. If you’ve already been infected, you can remove it manually following the steps above or using the Malware Removal utility in CleanMyMac X.
