Emerging Threats

New adware Pipidae is spreading on macOS devices

Ray Fernandez

Dec 7, 20234 min read

New adware Pipidae is spreading on macOS devices: Header image

For the past month, Mac users have been complaining on social media and forums about an annoying popup. This macOS security popup takes over screens, giving out the following warning: “Pipidae will damage your computer. You should move it to the Bin.”

Unfortunately, hitting the “Move to Bin” button doesn’t solve the problem at all. Let’s look at what Pipidae is, what it can do, and some advice on how to get rid of it. 

A closer look at the Pipidae malware 

Pipidae malware belongs to the adware family. Joe Sandbox classified the adware as a Malicious Evader, something Mac users are learning the hard way, as getting rid of it seems to be nothing short of a nightmare.  

As adware, Pipidae breaches macOS devices to take over their browsers. From there, it will change browser and system settings and constantly redirect users to websites (often malicious) while running endless unwanted ad campaigns.  

The main goal of attackers who distribute adware in massive campaigns such as these is to obtain financial gains from forced ad revenue. But Pipidae can lead to more dangerous things.

The Pipidae macOS alert is real

By redirecting users to malicious sites and bombarding them with ads and banners, potential victims might end up downloading additional malware that can steal their data. Examples of malicious sites that Pipidae redirects users to include Search Alpha —  a fake search engine identified as a browser hijacker. Pipidae will also redirect users to fake online malware scanners and other dangerous sites. 

Pipidae can also impact the performance of your Mac. It will make Pipidae your homepage and default search engine and modify your browser settings to launch the adware-defined content every time you open a new tab page. The adware is also reported to be capable of tracking your browser data, search history, and any passwords or credentials you have saved on your browser.

Screenshot of a fake search engine that Pipidae adware redirects users to.
One of the sites Pipidae directs users to is the infamous fake search engine Search Alpha.

Getting rid of Pipidae is a problem

We understand that Mac users affected by this adware just want to end the never-ending macOS Pipidae popups. However, the problem is not the popup itself but what’s happening behind the curtains. 

While some pieces of malware are, in fact, coded to simulate macOS system notifications, Pipidae is not. This means that if you are seeing a Pipidae warning on your Mac, your macOS system is warning you that something is wrong. 

Users have every right to ask themselves, “If my Mac can detect the Pipidae malware and has warned me about it, why won’t it just get rid of it when I click on Move to Bin?” If only it were that simple.

Pipidae adware creates a great number of files that are spread across your computer, and some of these files allow it to “regenerate,” even when macOS built-in security trashes the malicious file it detected. The malware gains a foothold in your macOS device, usually by hiding in freeware downloads, and creates apps and files on your browser folder, the extensions folder, the Applications folder, the LaunchAgents folder, the Library’s Launch Daemons folder, and the Application Support folder. It also creates a Login Item and modifies profile configurations to create a new User Profile. 

Is manually removing Pipidae myself a good idea?

As Pipidae-affected victims increase in number and the malware gains popularity, many cybersecurity experts and websites have begun to list different step-by-step methods for those impacted to manually remove Pipidae themselves. 

The problem with removing this type of malware single-handedly is that the process involves deleting files in the system folder, hidden folders, and other key configuration areas. Manual deletion of Pipidae means deleting the app, searching through several folders, and deleting browser extensions and browser files, as well as User Profile data.

While this is not impossible, users must understand that deleting a file that is key to their system can cause greater damage. Furthermore, there is no guarantee that following the technical steps listed online (which differ from website to website) will completely remove the adware. 

Additionally, Pipidae generates random names for the files it conceals throughout your system, so even if you get to the right folder and go through the list of files looking for something suspicious, you still might overlook the malicious files. Some reports assure that Pipidae file names usually contain the word “Pipidae,” but that is not always the case.

We do not claim that users aren’t capable of manually deleting this malware themselves. Nor are we stating that instructions found online for manual Pipidae removal are incorrect. We just want to point out the challenges and dangers of these processes.

Our advice for regular Mac users is to run a trusted Mac antimalware software to fully remove this adware and get rid of not just the annoying popup, but all the files and remnants of Pipidae hidden in your computer. 

This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. macOS is a trademark of Apple Inc.

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.