OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

ChatZum discovered in another installer

Published September 4th, 2013 at 10:44 AM EST , modified September 26th, 2013 at 2:51 PM EST

I have written about ChatZum before, when it was being added to installers downloaded from Softonic. Although Softonic never admitted to doing anything wrong, other than installing the adware even when users opted out during installation, I have at least not seen any signs that this misbehavior has continued. However, ChatZum has nonetheless resurfaced, with a slightly different form, in another application’s installer.

TuneUp installer

TuneUp installer

The application in question is called TuneUp, an iTunes library manager from TuneUp Media. It has apparently been around for a while. (Although I’m not sure how long it’s been around, the blog on their web site goes back to 2008.) It has never achieved much notice in the mainstream Mac news media, to my knowledge, and reviews tend to be mixed. A recent update, however, has received mostly one-star (or less) ratings from users in places like the Mac App Store, MacUpdate and Download.com. Worse than the numerous flaws outlined in these complaints, though, is the fact that the installer now appears to include ChatZum. (A source who has used this software in the past informed me that this was not the case with the previous version.)

This time, however, the name ChatZum is not used. Instead, the software is referred to as “Nation toolbar.”

TuneUp install

 

By default, all the boxes shown are checked. If you compare this to a similar screenshot of the ChatZum-added VLC installer, you’ll see remarkable similarities. Further, if those boxes are left checked when installing, not only is a Nation toolbar browser extension installed, but all the ChatZum components are also installed (other than the ChatZum browser extension, which appears to have been replaced by the Nation toolbar extension).

Just as observed previously with ChatZum, opting out during installation (by unchecking the boxes, as shown in the screenshot above) does not work fully. In this case, opting out still results in the zako.plugin and uid.plist components of ChatZum being installed.

TuneUp installed Okaz

 

It’s unclear at this time exactly what the involvement of TuneUp is. It’s entirely possible that they are unwitting dupes, tricked into including this malware as a means of bolstering what were probably not particularly spectacular sales. They may be completely unaware of how their software is behaving, although that would not really be forgivable, as a decent developer should be intimately familiar with exactly what their installer is doing. Even in this best case scenario, as opposed to the possibility that they are actively involved with ChatZum, TuneUp Media would have to be so clueless about what they’re selling that it would be wise to avoid their product altogether.

ChatZum (also known as Zako or Okaz) is still far from universally recognized as malware by anti-virus software. Most either doesn’t detect it or only calls it adware. However, this new development, showing a continued willingness to install their software contrary to the user’s preferences, will change that to some degree.

Updates

September 26, 2013 @ 2:48 PM EST: A new version of TuneUp is now available on the TuneUp Media web site. This version no longer uses the installer that included ChatZum, allowing users to simply drag the app to the Applications folder. They report that the installer was  built for them by a third party, who added ChatZum to it.

Tags: , ,

22 Comments

  • Jay says:

    I found Nation as part of a “RAR.pkg” about a month ago. The same installer has an optional built-in installer for TuneUp. The installer for “RAR.pkg” actually listens to the user when they opt-out but it’s tricky. Out of the 3 checkboxes if the first one is unchecked the other two grey out but remain checked. So for the user to really opt-out the boxed have to be unchecked in reversed order starting with the last one. It installs NationBar.safariextz in Users/Library/Safari/Extensions and nowhere else (in the case of the “RAR.pkg”). Is this the same for the TuneUp installer? Though the name changed from ChatZum to Nation, it’s recognized as being part of/related to Okaz. As you said, not by many AV apps, in fact so far Intego VirusBarrier 2013 is the only one that found it.

    • Thomas says:

      That’s exactly the same as what I’m seeing with the TuneUp installer. Where did you download that RAR.pkg file? Was it from somewhere like Softonic, or did you get it directly from the developer’s site. (In the case of TuneUp, the dodgy installer that I downloaded came straight from their web site.

      • Jay says:

        It was submitted by a reader who didn’t mention the origin. His previous samples came from virusshare. I label all my samples with the virustotal MD5, this one is 3aa9d0d96ee2202deda7d923e5e2b9ab if that helps.

        • Thomas says:

          Ahh, that’s unfortunate. Files on sites like VirusTotal never have any information about where they came from, unless the submitter adds a comment. (Although I tend to do that, that’s pretty unusual.)

  • Mr. Blumenberg says:

    I installed TuneUp after I downloaded it from their website. The DMG info says at the «Where from» : “dvk2ozaytrec6.cloudfront.net/mac/Sparkle/…”

    I read your previous post about getting rid of ChatZum ad hopefully I managed to get all involved files and deleted them – thanks to your instructions.

    [Edited URLs so they wouldn’t be clickable links]

  • Zako Support says:

    Hi,

    this is Zako support,
    we used to have a bug in the installer in Softonic where the offer was installed even if the checkbox to select the product was selected. this has been corrected 2 month ago and since then the install flow works flawlessly.
    – the Chatzum toolbar is offered as an optional software as part of the install flow (this is common to all how software bundles work for providing free software)
    – there installation is provided with a complete uninstaller ChatzumToolbarUninstaller.pkg (or NationToolbarUnisntaller.pkg)
    – TO BE CLEAR: the TuneUp offer screen in Softonic is an offer included that is also optional and users can choose not to install this as part of the flow.
    – if the package is performing anything that its not suppose to we would be happy to be informed.
    to our best knowledge its all within the specification and users can choose not to have the offers installed and we have double checked to see that it works as it should.
    we are available at support@chatzum.com for any questions or comments.

    Support.

    • Thomas says:

      I do not believe you are properly informed. First, note that I did not obtain TuneUp from Softonic, I downloaded it directly from the TuneUp web site. Second, I can absolutely, with certainty, tell you that choosing not to install the toolbar still results in components of ChatZum being installed. See the screenshots in this article. This has become a pattern of behavior, and that shows, to me, that the actions of ChatZum (aka Nation) are dishonest. (Or, if not dishonest, completely incompetent… either way, this isn’t software that anyone should install on their computer!)

      Interesting that you confirm that you are still working with Softonic. That means that I must continue to recommend boycotting Softonic.

      • ab says:

        Doesn’t the tuneup installer also download & install Mackeeper ?

        • Thomas says:

          No, not in my testing.

          • ab says:

            OK, thanks – I asked, since the run.sh run from postflight provides for a conditional install of mackeeper and macpaw, but on a closer look, the tests probably aren’t met.

          • Thomas says:

            I’ve seen that sort of thing before. Another adware app that’s in a kind of ethical gray zone, Genieo, was known at one point to have code in its installers designed to download and install the Codec-M adware/malware. I never actually saw it do that, but the mere presence of the code simply ads more suspicion. Thanks for bringing that up!

    • Jay says:

      The ChatZumUninstaller.pkg actually installs software. I’d attach screenshots but I can’t. When running the uninstaller (which is recognized to be malicious software by AV products) when prompted for a password the dialog actually states “Installer is trying to install new software”. Going along with this, as soon as the ‘uninstaller’ completes i check folders such as Internet Plug-ins in the main and user library and of course ‘Zako.plugin’ is still there. In the User Library > Safari > Extensions folder I can still find ‘Nationbar.safariextz’ and ‘ChatZumBar.safariextz’. Consider yourself informed 🙂

    • Mark says:

      I can tell you that I am using a fully paid ($49) version of TuneUp so I do not expect to find bundled applications included in the installer, especially when using the “Update” option from within the previous version of the TuneUp software! Also I have now been waiting 3 days for a response from TuneUp customer service. Not a happy camper!!

  • Zako Support says:

    I propose that we share the Zako plugin code discussed and let everyone see that its harmless.
    the only thing this code have is to share the UID across browsers, which is stored in the uid plist file in the browser plugin folder.
    i’ll get the code shared within the hour so you can see for yourself.
    can you be clear about what is it that the installer is doing wrong?
    the flow is:
    1. download am application installer
    2. have offer screens (toolbar and non-search products) where the user can choose if he/she wants doesnt want the offer.
    3. installation is complete and product is launched.
    application bundles is nothing new, and help keeps software free to users.

    Support.

  • Zako Support says:

    you can download the source code of the plugin from
    http://www.chatzum.com/zako.zip
    it was built using firebreath so if you want to compile it there is a great video tutorial which explains how to install and setup firebreath.
    http://www.firebreath.org/pages/viewpage.action?pageId=9699663
    i hope that this will remove any doubts about what the plugin is and does.
    Support.

  • Mark says:

    Finally I’ve had a response from TuneUp support. They confirm that the installer was written for them by Zako and that the optional Nation Toolbar is perfectly harmless. They have provided me with a link to an uninstaller for the Nation toolbar in the event that I have installed it!!

    Incidentally this response was prompted after I started posting negative comments on their Facebook page, where it seems that some people have been waiting a very long time to get any kind of reply!

  • Dave says:

    I’ve been waiting around 2 weeks. I used to love tuneup, but since the update I would not recommend it to anyone.

  • Mark says:

    A happy ending to this story for me – I’ve had a refund from Tune-Up which I’d asked for but didn’t expect to get so full marks to them for that. They did tell me that they bundled these apps in order to make the upgrade free to existing users which is such a shame and I’d rather have paid for the upgrade as I’m sure most others would have also. However since the latest update is so full of problems regardless of the Nation toolbar I won’t be using it anymore.

This post is more than 90 days old and has been locked. No further comments are allowed.