How to remove Odyssey Stealer (Mac)

What is Odyssey Stealer

Odyssey Stealer is a sophisticated piece of malware specifically targeting macOS systems, designed to extract sensitive information from infected devices. This malicious software infiltrates systems primarily through deceptive means, such as fake Google Chrome installers and malicious advertisements, masquerading as legitimate software to deceive users into downloading it. Once inside a system, Odyssey Stealer operates stealthily, accessing and exfiltrating a wealth of sensitive data, including passwords stored in the macOS Keychain, browser histories, and login credentials from various web browsers like Chrome, Firefox, and Safari. It also poses a significant threat to cryptocurrency enthusiasts, as it can target and extract private keys and other sensitive information from crypto wallets and related browser extensions. The consequences of an Odyssey Stealer infection can be dire, potentially leading to identity theft, unauthorized access to personal accounts, and significant financial losses. Users are advised to remain vigilant, ensuring their software is downloaded from trusted sources and keeping their security tools updated to mitigate the risks posed by this and other similar threats. Immediate removal using trusted antivirus solutions is crucial to protect personal and financial information from being compromised.

How Odyssey Stealer infected your system

Odyssey Stealer, a variant of the AMOS malware family, primarily targets macOS systems by masquerading as legitimate software. One common method of infection involves fake Google Chrome installers, which are distributed through unofficial websites, deceptive ads, and pop-ups that entice users to download them under the guise of a legitimate update or application. Once downloaded and executed, the malware discreetly integrates itself into the system, gaining access to sensitive data like login credentials, financial information, and crypto wallet details. Cybercriminals also employ phishing emails and exploit software vulnerabilities to spread Odyssey, often using enticing subject lines or messages that trick recipients into opening malicious attachments or clicking on harmful links. Once embedded in the system, Odyssey operates quietly, extracting valuable information while remaining undetected by the user. To mitigate the risk of infection, users should only download software from official sources, maintain up-to-date security software, and exercise caution with unsolicited emails and advertisements.

Remove Odyssey Stealer from macOS manually

Removing Odyssey Stealer from macOS requires a systematic approach that involves a combination of built-in tools, safe computing practices, and sometimes third-party software. Here’s a comprehensive guide to identifying and removing viruses from your Mac, ensuring your system’s integrity and security.

Step 1: Disconnect from the Internet

1. Disconnect your Mac from the Internet. This prevents the virus from sending data to its creator or downloading more malicious software. Turn off Wi-Fi and unplug any Ethernet cables.

Step 2: Enter Safe Mode

2. Restart your Mac in Safe Mode. Safe Mode performs a check of your startup disk and restricts certain software from automatically loading or opening.
   • For Intel-based Macs: Restart your Mac and immediately press and hold the Shift key until you see the login window.
   • For Apple Silicon Macs: Turn off your Mac, press and hold the power button until you see the startup options window, select your startup disk, press and hold the Shift key, then click Continue in Safe Mode.

Step 3: Use Built-in Tools for Malware Removal

3. Use Finder to identify and remove suspicious applications.
   • Open Finder, go to the Applications folder, and look for any applications you don’t recognize or didn’t intentionally download.
   • Right-click the suspicious application and select Move to Trash, then empty the Trash.
4. Use macOS built-in malware removal tool (MRT). macOS automatically runs MRT in the background, but you can manually run a malware scan by updating your software.
   • Go to System Preferences > Software Update.
   • Install any available updates, as these often include the latest security improvements and malware definitions.

Step 4: Check and remove Odyssey Stealer from Login Items

Note: Odyssey Stealer may set up to start on macOS startup. Therefore, before starting the removal, perform these steps:

1. Open System Preferences, choose Users & Groups.
2. Choose your account (set up as Current User).
3. Click Login Items tab.
4. Find suspicious entries. Select it, and click the “-“ (minus) button to remove them.

Step 5: Check and remove Odyssey Stealer Malicious Device Profile

Important update: Odyssey Stealer can install malicious Device Profile called AdminPrefs or similarly on MacOS, that won’t allow users to make changes to browser search engine and homepage settings. Follow instructions below to remove this profile.

Remove Odyssey Stealer profile

1. Go to System Preferences and click on Profiles.
2. In the list of profiles on the left side, choose AdminPrefs or other profile and click on “-” button to remove it.
3. In your case it can be named differently, in this case remove all visible profiles. Check the picture below to see how it looks like.

Step 6: Reset Your Web Browsers

Reset Safari:

1. Start Safari on your Mac, click Safari to open drop-down menu and choose Preferences
2. Go to the Privacy section of Safari’s preferences.
3. Click Remove All Website Data button.
4. In the opened window, click Remove Now button to remove data stored by websites in Safari.
5. Go to the Advanced section of Safari’s preferences.
6. Click the Show Develop menu in menu bar option.
7. In the menu, click Develop and select Empty Caches from this menu.
8. Again, go to Safari menu and choose Clear History….
9. Choose to clear all history and click Clear History button.

Reset Google Chrome:

1. Start Google Chrome browser
2. In address box type (or copy-paste) chrome://settings.
3. Scroll down and find Show advanced settings link.
4. Click on it and scroll down to the bottom again.
5. Click Reset settings button and click Reset to confirm.

Reset Mozilla Firefox:

1. Start Mozilla Firefox browser.
2. In address box type (or copy-paste) about:support.
3. Click Refresh Firefox… button.
4. Click Refresh Firefox to confirm.

Step 7: Restore from a Backup

8. If the issue persists, consider restoring your Mac from a backup.
   • Use Time Machine or another backup system to restore your Mac to a state before it was infected.
   • Ensure the backup you choose predates the malware infection.

Prevention Tips

• Keep your macOS updated. Regularly check for and install macOS updates to ensure you have the latest security patches.
• Be cautious with downloads and attachments. Only download software from trusted sources like the Mac App Store or official websites.
• Use strong passwords and enable two-factor authentication (2FA) where possible.
• Consider enabling the macOS firewall in System Preferences > Security & Privacy.
• Regularly back up your Mac using Time Machine or another backup solution to ensure you can recover your system if needed.

Following these steps should help you remove most viruses from your Mac. If you continue to experience issues, consider seeking help from Apple Support or a professional cybersecurity service.