MacUpdate Adware Installers
Following Mr. Urdaneta’s hints, I sought out the Skype page on the MacUpdate site and downloaded the app. The result was a file named Skype Installer.dmg, which seems legit on first glance. However, opening this disk image file results in a MacUpdate installer, very similar to the adware-riddled custom installers used by sites like Download.com and Softonic.
Sure enough, when running this installer, it will display a license agreement that the user is likely to click right past, giving the installer the right to change the browser’s settings and install a “Search-Assist” browser extension[…]
This is behavior exhibited by many adware installers these days, and this particular license agreement is identical to the ones being used by the InstallCore adware. And sure enough, once the installer is finished, an InstallCore browser extension ends up installed in Safari[…]
I download from MacUpdate all the time and had never seen this. However, I found that the Firefox (Stable Version 41.0) download mentioned in the comments does download a “MacUpdate Installer” rather than the normal Firefox. The 1Password download is also not the actual 1Password. This only happens when I’m not logged into the site.
In contrast, the SpamSieve, BBEdit, and MarsEdit downloads are pristine even when I’m logged out. It looks like the installers are being downloaded from macupdatefiles.com, whereas the others are direct from the developers’ sites. So perhaps this has to do with the (seemingly removed) option where the developer could opt in (I think—it might have been opt out) to having MacUpdate host the downloads. I’ve always had that box unchecked for my apps.
Update (2015-11-06): Weaselboy:
If you look in the user reviews on the site for Skype there is some discussion of this issue and a comment from the site’s editor Joel Mueller acknowledged they are including adware with the installer. I have screen capped some excerpts here.
Update (2015-11-16): John Brayton:
MacUpdate is adding adware to more apps. Cyberduck is the latest.
Update (2015-11-29): David Kocher:
We therefore urge users to refrain from downloading Cyberduck from download sites such as download.com, softonic.com or macupdate.com which are or have in the past distributed adware (advertising-supported installers) without our consent.
Update (2015-12-08): Pixelmator and Skim now have MacUpdate installers.
Update (2016-01-20): Adam Chandler:
Today, I was downloading the Time Lapse Encoder tool to assemble some photos I took with the GoPro and I was greeted with an installer DMG that wasn’t the one the developer used. it was some strange package with a Macupdate logo and a prompt to install Yahoo extensions and make Yahoo my homepage.
Update (2016-04-10): Keith Gugliotto:
What matters right now, though, is if you read between the lines, MacUpdate isn’t planning to do anything about how some folks out there may experience that dreadful shiver I mentioned earlier when they perceive PUA.OSX.InstallCore is a bona fide threat to their data, identity, and finances. Causing users any kind distress is not cool with us.
I’m gonna throw [this link] into the mix. Search for “MacUpdate” on that page and you’ll find it occurs 82 times, with some pretty clear indications this isn’t just our imagination – others aren’t really taking to MacUpdate Installer, either. Alarm, disgust, distrust. All reactions you want associated with your brand, right?
[…]
Here’s hoping MacUpdate updates MacUpdate Installer so that it doesn’t trip alarms in common malware scanners, or they get in touch with those malware scanner developers to see if they can prevent MacUpdate Installer from being called out as truly infected.
Update (2016-05-24): MacUpdate started using their installer for my DropDMG app but stopped when I asked.
2 Comments RSS · Twitter
This came up at last nights' Boston Macintosh Users Group meeting.
Personally, as someone who supports Macs for a living, this is a shame, as it means I can no longer trust MacUpdate to have my clients download software from there, if I don't know whether they will be installing adware/crapware that they will then have to pay me to uninstall, or I'll have to uninstall under their support contract (thus making more work for me).
It's even more of a shame, as I've bought several of the MacUpdate Bundles in the past including their Fall one, just a couple of months ago.
I also think that this behaviour - re-wrapping packages without the devs consent, actually crosses several ethical boundaries. So, yes I will single out MacUpdate, because I expect more from from them. "Behaviour that is rewarded is repeated" - Cordelia Vorkosigan. Whoever is doing it, they should be hammered for doing this kind of thing.
As a result, I plan to A) email MacUpdate to "register my displeasure" and B) find out if it makes sense to report this to Apple and work towards getting them to add this kind of thing to Gatekeeper, if that's feasible.
The last thing I want is to have OS X turn into the kind of user minefield that Windows has been.
This is a growing trend. In this specific case, MacUpdate reverted the Skype download to the official one. You mentioned being logged in. There is much more to it than that. There is your OS and browser version. Your referral URL. Your IP address. Various other tracking agents. All of this can be analyzed in real-time to determine whether you are an influential blogger or a newbie. The blogger downloads, tests, finds no adware, and recommends. Within minutes, all the newbies get adware. While I'm not an influential blogger, I have been the chump who recommended an adware-laded app I had tested as safe only minutes earlier.
I don't think it is right to single out MacUpdate. They still provide a valuable service to their subscribers. It is just that they use adware wrappers to increase that (relative) value.
You can't even suggest direct links or even Mac App Store links to avoid adware either. Developers have access to the same server logic and adware networks and some of them use it. The really clever ones publish apps in the Mac App Store, then use Apple's own policies as an excuse to post a URL (conveniently hosted by Apple) to an updated version of the app that installs adware.
This is the finish line in the "race to the bottom".