I think I may have noticed a flaw in the F-Secure article (here). I noticed that in the Ars article (here) covering the malware, they check the Safari and Firefox app bundles which made me think that this malware modifies the app bundle for the browser used by the user and not necessarily Safari itself. I never use Safari so I imagine that checking the Safari app bundle is utterly useless if this is the case.

Does anyone know if the malware modifies Safari and/or Firefox regardless or does it modify the browser used when the malware was installed on the machine?