Mac OS X Isn’t Safe Anymore: The Crapware / Malware Epidemic Has Begun

OS X users like to make fun of Windows users as the only ones that have a malware problem. But that’s simply not true anymore, and the problem has increased dramatically in the last few months. Join us as we expose the truth about what’s really going on, and hopefully warn people about the impending doom.
Since it is actually Unix under the hood, OS X has some native protection against the worst types of viruses. But the problem these days isn’t viruses that completely break your computer, it’s spyware, crapware, and adware that sneaks onto your computer, hijacks your browser, inserts ads, and tracks what you are looking at. And much of it is legal, because you get tricked into clicking the wrong thing during an installer.

And now download sites, fake ads for software on search engines, and sketchy applications are bundling adware and crapware into installers for legitimate software. You can’t just assume you are safe anymore because you’re on OS X. You need to be careful what you download and what you click.
If you don’t think this is a big deal, think again. These pieces of adware insert themselves directly into the browser, and they are analyzing and running even on secure sites like your bank, credit card site, and email, sending back data to their servers. They aren’t using an HTTPS hijacking proxy quite yet from what we can tell during our research, but it’s only a matter of time, and they might already be doing it and we haven’t found the proof yet.
Since we are primarily Mac users ourselves here at How-To Geek, we’re really hoping that Apple takes a different tactic with this problem than Microsoft has with Windows and doesn’t allow these scam artists to destroy their platform.

Bundled Crapware for OS X is Getting Worse Every Day

This fake VLC installer is serving up insidious malware, one of the worst that we’ve come across.

It wasn’t that long ago that you could install almost anything for OS X from almost any website, and you didn’t really have to worry about what you clicked on. That’s just not true anymore, and while things are better than they are on Windows, it’s only a matter of time at this point.

You still have a safe source for software with the Mac App Store, but the problem is that not all vendors sell their software through the App Store, and many of them are selling older versions there and have the latest version on their own website. If you do stick to the App Store, you have nothing to worry about. We’d love to see Apple fix some of the App Store issues and make everybody use it.
Just like on Windows, you don’t have to look any further than CNET Downloads to find bundled crapware… even for Mac. That’s right, they’ve gone cross-platform with this nonsense. And they’ve made it worse, because you either have an Install button, or a Close button. There’s not even a Decline anymore! When you click Close, the installer shuts down entirely. So you either have bundled crapware that hijacks your browser, or you don’t get to install that app.

They are like the Old Faithful of bundled crapware. You can always count on them.

The one in the screenshot installs Spigot and a bunch of other nonsense that redirects your browser to Yahoo, installs a bunch of unwanted plugins, and generally makes the flying spaghetti monster cry. It’s amazing how much money Yahoo must be sinking into these things to hijack your browser to their search engine… when it’s not even theirs. Yahoo Search is really just a rebranded version of Bing. Oh well.
Oh my! On the next screen, the installer finally allows you to Decline something again! Maybe the thing in the screenshot is so bad even CNET Downloads doesn’t want to force it on you. Not a good sign.

Seriously, you should think twice before using anything that bundles itself.

Of course, it’s not just CNET Downloads doing the bundling — we found a number of other apps being distributed on freeware download sites that are doing their own bundling. For instance, YTD that loads HTTPS-hijacking adware for Windows has a Mac version. And they are also bundling Spigot. Want to torrent something? Why don’t you go download uTorrent from their website? Seems like people love using that. Ohhh.

Somebody must have forgotten to turn off the spigot on the crapware hose.

The problem gets much, much worse when you try to search for freeware using your favorite search engine. It’s worth noting here that Google has just recently starting trying to ban bundled crapware from their results and ads, but sadly Yahoo and Bing don’t have the same level of awesome. In fact, they are just terrible.
If you are an average, regular user and you search Yahoo for “vlc download,” you would be presented with something that looks like the next screenshot. And every single thing on the page is actually a link to a bundled crapware installer for VLC, and almost all of them are cross-platform and work on OS X. And the text that says “ad” is almost invisible.

Yahoo! It’s them there crapware that what people be talkin bout! Yeehaw!

When an unsuspecting user tries to use one of these installers, they will be presented with a screen similar to this one… which installs the InstallMac awfulness that hijacks everything and puts adware into your system — it’s terrible. And, of course, the next screen tries to get you to install something else that you don’t need. And then something else. It’s so much crapware.

I bet the VLC folks are so tired of seeing scammers do this to their great software.

We’ve found a lot more software that’s being served up this way, with a ton of installers from almost every bundled crapware installer company. Here’s an install wrapper for OpenOffice bundled with a really lousy piece of adware that just takes over your browser. Yeah, we searched Yahoo again for OpenOffice, and clicked on what we actually thought was the real site because their “ad” text was so small that we couldn’t tell the difference. And this is what came up.

This thing claims to be a “better online experience” for videos. But it injects ads everywhere.

It’s about to become an epidemic for Mac users. So what do we have to look forward to?

Adware and Malware on OS X is Almost as Awful as on Windows

Every couple of minutes your browser does this and the only option is to quit.

When you do manage to get infected with something, most of the adware, malware, and spyware on OS X is going to try to infect your browser somehow, hijacking your New Tab, search, and home pages, injecting ads into pages, and randomly popping up obnoxious tech support alerts. Most of it won’t wipe your hard drive or anything really terrible… but based on the increasing sophistication that we’re seeing, it’s only a matter of time.
Many of these browser hijackers will insert ads that pop up messages that cannot be dismissed no matter what you do, as you can see in the screenshot above. And they’ll randomly show up all the time while you’re browsing, and you have to CMD + Q to close the app out entirely to get rid of them. Essentially, your browser becomes completely useless.
The simplest adware will install itself into your browser as an extension, and reset all of your pages to go through their awful, terrible search engine. And by that we mostly mean Yahoo… but there are a ton of others like searchmoose, search-quick, and searchbenny that use their own fake search engines. A few of them will redirect you to Bing, but never directly. It’s always through an intermediary like Trovi.
Most of the ads that get injected will try to trick you into installing even more ads using fake Java plugin messages, or messages that tell you to install a codec or a new version of Flash. All of these are fake, of course, and will just install even more crapware and malware on your computer. Every now and then one of them will try to serve up a piece of Windows adware, but for the most part they are smart enough to know you’re a Mac user and serve up the appropriate piece of crapware.

Searchbenny is really Trovi which is really Bing. That isn’t a real Java message, it’s fake.

A lot of the adware will redirect your search engine to a fake search engine that looks a lot like Google or Bing, but all of the results are nothing but ads.
And then it will randomly start talking to you. Literally. It plays audio ads through your speakers. We heard an ad for Northrup Grumman. How crazy is that? (We’re quite certain that they don’t know about this.)

Auto-playing audio ads in the background? Sprinkles are for winners.

We just showed off some of the annoying adware, but much of the bundled crapware is pretty lousy stuff as well, and almost every single crapware bundler that we found, and almost every single adware ad tried to get us to install MacKeeper. We don’t know much about it, although we do plan to look into how it works because these tactics are questionable.

8 out of 10 shady crapware installers recommend it!

The biggest trend that we’ve noticed in adware is that almost all of it tries to redirect your browser and search engine to Yahoo. Somebody over there at Yahoo needs to get fired.

Digging Deeper: How Some of This Malware Actually Works

Would you like this on every shopping page you visit?

The simple adware works the way most adware does, by installing itself into Safari’s extensions, which is pretty easy to uninstall. The problem is that only a few pieces of adware worked this way in our research.

When GoldenBoy grows up, he becomes a supervillain.

All of the search engine hijacking, home page redirecting, and extensions injecting ads are one thing. The bigger problem is the serious malware, which installs itself deep into the operating system, and the average person would never be able to remove it. There’s no uninstaller, there’s no Startup item, there’s no plugins in your browser, extensions, or anything else that appears to be installed.
What there are, however, are really awful ads injected into everything you do, making your computer slower than dirt. Your search engine will be hijacked, and it’s possible that your browser will be routed through a proxy. This is outright malware, it’s not just adware anymore, even if you accidentally forgot to uncheck a box somewhere. It works the same way the Trovi malware does on Windows, by injecting itself into processes.
These more serious pieces of malware install themselves as a daemon, or service, that runs in the background and behind the scenes. You can find these things in the /Library/LaunchAgents or /Library/LaunchDaemons folder, which will have some really weird looking items that just don’t belong. This folder could also be used for real things from real applications, so don’t go cleaning out this folder entirely or anything.

All three entries launch the same process in different ways so it stays running.

An examination of the plist file will show you where the actual malware resides, which is usually in a completely separate folder.

That folder appears to be randomly named.

When you head into that folder and examine the Version.plist file, you’ll get some more information about what’s actually going on. This thing is called Search-Quick and it supports hijacking Chrome and Safari, as well as the Webkit nightly build for some reason.

That really long string that ends in .com? Somebody should shut that domain name down.

Examining further comes up with something curious… the person who wrote this malware wanted to give special thanks to his mom.

Somebody should find his mom and let her know what he’s been up to.

Once the malware is launched by OS X as a daemon, it then uses a little-known piece of functionality in OS X that allows one process to inject itself into another process. You can see how it works by opening a terminal and running the agent executable directly. What’s actually going on is that it will attach itself to your web browser and load itself as a hidden extension. In the screenshot below you can see that it activated for process ID 544, which was Google Chrome. It’ll do the same to Safari if it is open.

Based on lsof output it appears that this malware is using low-level dyld library injection to hijack your browser.

This means that adware or malware is running inside of your web browser, injecting itself into every page that you visit. It doesn’t matter if you are visiting a secure banking site or not, they are already inside. One of the side effects of this malware is that your entire computer will be extremely slow, all the time, no matter what you’re doing.
For some tips on removing adware and malware in OS X, you can read the Apple support document, or just wait for our upcoming articles on the subject. We’ll be doing a lot more research into all of these things.

So What Does This All Mean, and How Do You Protect Yourself?

The trusty App Store is your best bet for most things.

Even though we’ve shown that malware, adware, crapware, and spyware is getting increasingly worse on OS X, that doesn’t mean that you necessarily need to worry or go out and install Linux or do something drastic. OS X is still not being targeted as much as Windows is, and there are still some security measures in place that make it more difficult for malware to get through.
The safest thing that you can do is use the Mac App Store to install your applications whenever possible. These applications have been verified by Apple and should be just fine to use, and definitely won’t come with any bundled crapware or adware.
Restrict Apps that Aren’t From the App Store
This won’t entirely fix the problem, but you can configure OS X to automatically restrict any executables that don’t come from the App Store. This won’t apply to applications already installed on your computer, no matter where they come from. It will simply apply to new downloads.
Head to System Preferences -> Security & Privacy, click the Lock icon at the bottom, and then flip the setting over to Mac App Store instead of the default.

Once you do this, trying to run anything that isn’t in the App Store will automatically show a block message. You can choose to still open it if you right-click and choose Open and then choose Open again, but by default everything is blocked.

This doesn’t solve the issue of applications that you do want to install having bundled crapware that requires opting out by default. But it is a great security setting for your relatives.
When you do need to install an application from elsewhere, make sure it’s really a trusted source, and not a fake site serving up open source freeware with a bundleware wrapper.

You should also consider disabling your browser plugins — for Chrome and Firefox, that’s pretty easy, for Safari it’s a little more complicated. The biggest thing you can do is disable your Java plugin, because it’s pretty rare for you to need that, and because Java was responsible for 91% of attacks in 2013. This will reduce your likelihood of being targeted with a zero-day attack.
It might even be time to start considering an antivirus for OS X, at least if you like to install a lot of software from sources outside of the App Store. If you don’t, it’s probably not quite as big of a deal, but we’re getting closer to the point where it will be needed. What we’re not sure quite yet is what antivirus for Mac is even worthwhile and blocks this type of stuff — on Windows, most antivirus doesn’t block bundled crapware and adware at all, because they are legal since you had to agree during the install process. So don’t just go pay for some antivirus right now. Just keep it in mind for the future.
Other than that, just be careful what you click on, and don’t trust error messages that pop up in your web browser window. If you see something that says your computer is infected and pops up a message, hold down that CMD + Q shortcut key combination to close out of everything immediately.
There’s no better time for Windows users to switch to Mac. With this much crapware and adware being developed, they’ll feel right at home! (We’re joking, of course.)