Thomas Reed, lead researcher at Malwarebytes, told us that he found the malware on a scam page hosted on the official Advanced Mac Cleaner website …
It does rely on a naive user approving a request to install Advanced Mac Cleaner on their machine, but doing so also installs a second app known as Mac File Opener. Reed said that it wasn’t initially obvious how the app could force users to launch it.
But some digging found that the Info.plist file within the app defined a list of 232 different file types that it claimed to be able to open. If a user tries to open a file for which they don’t have a corresponding app, it will be opened by Mac File Opener which then presents a reasonably convincing fake version of the normal OS X dialog box advising that no suitable app is installed.
The fake dialog box links to the macfileopener[dot]com website, which downloads other junk PCVARK apps, such as Mac Adware Remover or Mac Space Reviver. All the apps have a valid, Apple-provided developer certificate, so OS X will happily install them without any warning.
It may be worth reminding your less-technical friends to stick to the official Mac App Store, and to ensure that they check for the above fake dialog trying to direct them to the web. Although there is very little Mac malware in the wild, examples do exist, along with a fair sprinkling of scamware.