Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!
Posted on October 29th, 2013 at 8:41 AM EDT
Download.com has been accused of unethical behavior in the past. In particular, they have been known to insert their own adware in downloaded installers, contrary to the wishes (and without the knowledge) of the developers whose software is being hijacked. This in particular angered Fyodor, the developer of the open source network mapping tool Nmap, so severely that he sent a strongly-worded e-mail to a security mailing list, leading to CNET being widely reviled by the developer community. Unfortunately, I have just found hard evidence that these practices are continuing, almost 2 years later, with Mac downloads.
This was first brought to my attention by a post on the Apple Support Communities, in which it was discovered that a number of new browser extensions were added following the install of a program that had been downloaded from Download.com. Upon downloading that file and opening it in a test system, I found that it behaved exactly as I suspected.
The program that brought this issue to my attention is called X Lossless Decoder (aka XLD), an open-source app for dealing with a number of lossless audio file formats. If you download the app from download.cnet.com, however, you will end up with a cryptically-named disk image file that does not seem to have any relation to the program in question. Opening the disk image shows nothing but an app named CNET-Installer.
Right away, this is something that I wouldn’t normally touch with a ten-foot pole. However, since it was a test system and I didn’t really have anything to fear, I opened it. The window that opened would have alleviated my concerns slightly, if I didn’t know better, since it did mention the app that I had gone looking for:
The next screen, though, should raise some serious red flags… assuming that you don’t do what most people do and simply click past the terms and conditions without reading them.
If you read those terms, you will notice that they ask you to agree to the install of a number of different undesirable programs, as well as changing of your search engine and home page.
After finishing with the installation, all that happens is that the XLD disk image is downloaded and opened.
This, of course, could have been achieved in one simple step, without the nonsense of the junk-filled installer, by simply downloading the disk image straight from the XLD website. A legitimate download site would have simply provided a link to that disk image, or a mirrored (and unmodified) copy.
At this point, I opened Safari, and discovered that it had no less than four new extensions installed!
All four of these extensions – Searchme, the Amazon and Ebay shopping extensions, and Slick Savings – were installed by the CNET installer. None of them are included in the official XLD download.
After making this discovery, a little searching turned up the fact that I’m not the only one who has noticed, and XLD is not the only app being used for these nefarious purposes. Derek Currie has also documented the same behavior with a copy of A Better Finder Rename.
I have been hearing about these issues with Download.com for a couple years now, and had been told that Mac apps had been affected. However, this is the first time that I have actually located a sample – and, not just one but two! This suggests to me that CNET may be ramping up their efforts to earn dirty money using someone else’s software, just as Softonic has done recently.
I would strongly advise boycotting not only Download.com, but all CNET sites. Actually, boycott may be too light a word, since that usually implies a temporary action, taken until the behavior of the company being boycotted changes. However, CNET has shown a history, over several years, of repeatedly doing this kind of thing. They will stop inserting their adware into a particular download when people yell loudly enough, but they evidently aren’t learning any lessons from the repeated criticism. Given that failure to learn and change their behavior, I personally wouldn’t go back to any CNET sites, and will no longer recommend them to anyone. (Which is truly unfortunate, since I have a trusted friend who writes for CNET.)
October 29, 2013 @ 9:20 am: Less than an hour after I wrote this, I have learned that many other apps are being treated the same way on Download.com, including Sophos and ClamXav. Sounds like it may not be very difficult to find affected apps! If you know of other apps that have been affected, please post a comment to let folks know.