{"id":12720,"date":"2015-11-04T13:54:51","date_gmt":"2015-11-04T18:54:51","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=12720"},"modified":"2016-05-24T12:51:00","modified_gmt":"2016-05-24T16:51:00","slug":"macupdate-adware-installers","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2015\/11\/04\/macupdate-adware-installers\/","title":{"rendered":"MacUpdate Adware Installers"},"content":{"rendered":"

Thomas Reed<\/a>:<\/p>\r\n

\r\n

Following Mr. Urdaneta’s hints, I sought out the Skype page on the MacUpdate site and downloaded the app. The result was a file named Skype Installer.dmg, which seems legit on first glance. However, opening this disk image file results in a MacUpdate installer, very similar to the adware-riddled custom installers used by sites like Download.com and Softonic.<\/p>\r\n

Sure enough, when running this installer, it will display a license agreement that the user is likely to click right past, giving the installer the right to change the browser’s settings and install a “Search-Assist” browser extension[…]<\/p>\r\n

This is behavior exhibited by many adware installers these days, and this particular license agreement is identical to the ones being used by the InstallCore adware. And sure enough, once the installer is finished, an InstallCore browser extension ends up installed in Safari[…]<\/p>\r\n<\/blockquote>\r\n

I download from MacUpdate all the time and had never seen this. However, I found that the Firefox<\/a> (Stable Version 41.0) download mentioned in the comments<\/a> does download a “MacUpdate Installer” rather than the normal Firefox. The 1Password<\/a> download is also not the actual 1Password. This only happens when I’m not logged into the site.<\/p>\r\n

In contrast, the SpamSieve<\/a>, BBEdit<\/a>, and MarsEdit<\/a> downloads are pristine even when I’m logged out. It looks like the installers are being downloaded from macupdatefiles.com, whereas the others are direct from the developers’ sites. So perhaps this has to do with the (seemingly removed) option where the developer could opt in (I think—it might have been opt out) to having MacUpdate host the downloads. I’ve always had that box unchecked for my apps.<\/p>\r\n

Update (2015-11-06): Weaselboy<\/a>:<\/p>\r\n

If you look in the user reviews on the site for Skype there is some discussion of this issue and a comment from the site’s editor Joel Mueller acknowledged they are including adware with the installer. I have screen capped some excerpts here.<\/p><\/blockquote>\r\n

Update (2015-11-16): John Brayton<\/a>:<\/p>\r\n

MacUpdate is adding adware to more apps. Cyberduck is the latest.<\/p><\/blockquote>\r\n

Update (2015-11-29): David Kocher<\/a>:<\/p>\r\n

\r\n

We therefore urge users to refrain from downloading Cyberduck<\/em> from download sites such as download.com<\/tt>, softonic.com<\/tt> or macupdate.com<\/tt> which are or have in the past distributed adware (advertising-supported installers) without<\/strong> our consent.<\/p>\r\n<\/blockquote>\r\n

Update (2015-12-08): Pixelmator<\/a> and Skim<\/a> now have MacUpdate installers.<\/p>\r\n

Update (2016-01-20): Adam Chandler<\/a>:<\/p>\r\n

\r\n

Today, I was downloading the Time Lapse Encoder tool to assemble some photos I took with the GoPro and I was greeted with an installer DMG that wasn\u2019t the one the developer used. it was some strange package with a Macupdate logo and a prompt to install Yahoo extensions and make Yahoo my homepage.<\/p>\r\n<\/blockquote>\r\n

Update (2016-04-10): Keith Gugliotto<\/a>:<\/p>\r\n

\r\n

What matters right now, though, is\u00a0if you read between the lines, MacUpdate\u00a0isn\u2019t\u00a0planning\u00a0to do anything about how some folks\u00a0out there may experience\u00a0that dreadful shiver I mentioned earlier when they\u00a0perceive\u00a0PUA.OSX.InstallCore is\u00a0a bona fide threat to their data, identity, and finances. \u00a0Causing users any kind distress is not cool with us.<\/p>\r\n

I\u2019m gonna throw\u00a0[this link<\/a>] into the mix. Search for \u201cMacUpdate\u201d on that page and you\u2019ll find it occurs 82 times, with some pretty clear indications\u00a0this\u00a0isn\u2019t just\u00a0our imagination\u00a0\u2013 others aren\u2019t really taking to MacUpdate Installer, either. \u00a0Alarm, disgust, distrust. \u00a0All reactions you want associated with your brand, right?<\/p>\r\n

[\u2026]<\/p>\r\n

Here\u2019s hoping MacUpdate updates MacUpdate Installer so that it doesn\u2019t trip alarms in common malware scanners, or they get in touch with those malware scanner developers to see if they can prevent MacUpdate Installer from being called out as truly infected.<\/p>\r\n<\/blockquote>\r\n\r\n

Update (2016-05-24): MacUpdate started using their installer for my DropDMG app but stopped when I asked.<\/p>","protected":false},"excerpt":{"rendered":"

Thomas Reed: Following Mr. Urdaneta’s hints, I sought out the Skype page on the MacUpdate site and downloaded the app. The result was a file named Skype Installer.dmg, which seems legit on first glance. However, opening this disk image file results in a MacUpdate installer, very similar to the adware-riddled custom installers used by sites […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[284,354,154,279,30,1308,504,207,103,372,96],"class_list":["post-12720","post","type-post","status-publish","format-standard","hentry","category-technology","tag-1password","tag-advertising","tag-bbedit","tag-firefox","tag-mac","tag-macupdate","tag-malware","tag-marsedit","tag-safari","tag-spamsieve","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/12720","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=12720"}],"version-history":[{"count":10,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/12720\/revisions"}],"predecessor-version":[{"id":14628,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/12720\/revisions\/14628"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=12720"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=12720"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=12720"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}