Hi @tschoonj,
Thank you for the heads-up! I unfortunately stumbled upon the same issue on a machine yesterday, so there might be a new campaign being pushed.
Key Points:
- There unfortunately is a family of malicious software that uses mitmproxy’s code under the hood to redirect users’ traffic.
- We – the mitmproxy developers – are in no way affiliated with this and condemn the criminals’ activities. Unfortunately, we cannot stop them including our code in their software.
- Our software is unfortunately mis-used for malicious purposes here. We are sorry if you have been infected. We would like to emphasize that we actively fight “on the other side”: Mitmproxy is regularly used to improve software security, uncover privacy violations, etc.: https://mitmproxy.org/publications/.
More technical commentary:
The name (MajorSignalSearch in your case) seems to be randomized. Malwarebytes classifies it as Adware.OperatorMac
. They have a blog post describing the phenomenon:
https://blog.malwarebytes.com/threat-analysis/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection/. Mitmproxy is not the only tool that could be used for this, some other malware families are using Titanium Web Proxy for example (https://www.airoav.com/mitm-proxy-a-new-search-hijack-method-on-mojave/).
Best,
Max