OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Is downloading from the developer’s site safe?

Published June 29th, 2015 at 9:16 AM EST , modified June 29th, 2015 at 9:18 AM EST

You should only download software directly from the site of the developer who created the software. This has been a bit of standard advice given by security people like myself when trying to help people understand what to download and what not to download. It’s good advice, right? Well… mostly, but not entirely, unfortunately.

In general, this is still good advice. If you want to download Adobe Flash Player, for example, you should only download it from Adobe’s web site. You should avoid download aggregation sites (sites that try to gather lots of software downloads in one place), such as CNET’s Download.com and Softonic, which may wrap other people’s software in adware installers. You should never download from piracy sites (like PirateBay) or illegal torrents, which are not only illegal and unethical, but are also like playing a game of Russian Roulette with your computer.

FileZilla iconBut can we necessarily trust software simply because it comes directly from the developer’s site? Unfortunately, the answer is no. Consider, for example, the case of the formerly popular FTP client FileZilla. The official FileZilla download, from the official FileZilla site, has been known to install adware for some time. Last month, FileZilla was installing the junkware app MacKeeper and a variant of the InstallCore adware. Currently, it installs MacKeeper along with the infamous PremierOpinion spyware.

TuneUp installer

TuneUp installer

FileZilla, unfortunately, is not alone. For example, at one point, the Avast anti-virus software included an adware component that was turned on by default. Fans of the MPlayerX video player have to contend with an official installer that installs adware and junkware. The popular torrent apps µTorrent and Vuze currently install the Spigot adware. The music library organization app TuneUp, which has been implicated in the installation of adware in the past, is currently also installing Spigot. All of these are merely examples of apps downloaded directly from the developer’s site that are installing adware or junkware payloads.

So, how is the average person to know what is safe to download and what is not? Unfortunately, it’s becoming harder to do. The advice to restrict yourself to downloading only from the developer’s site is still good, but it’s important to keep in mind that not all developers are trustworthy. Some developers are increasingly turning to adware as a means for earning money from free software, and this not always limited to small-time developers.

First, research the app you want to download carefully. If you do some Googling for the app’s name plus the word “adware,” or the word “malware,” you’ll probably have a good chance of turning up any reports of issues if there are any. You’ll need to pay careful attention, though, since a search for “Adobe Flash Player malware” will turn up countless results, but those issues are mostly related to malware imitating Flash, not the official Flash download from Adobe.

If you don’t turn up any reports of problems, start with the download from the official site, but pay close attention to what you have downloaded. An app that installs by simply dragging it to the Applications folder is probably more trustworthy than one that requires an installer, though that’s certainly not a hard-and-fast rule. One that requires an installer is less trustworthy, because an installer may put adware or junkware on your system, but of course not all installers are bad.

Another thing that you can do to check an installer is to submit the .dmg or .zip file downloaded from the developer’s site to VirusTotal. If it’s known adware or malware, one or more of the anti-virus engines used by VirusTotal will flag it as such. Of course, VirusTotal is far from foolproof. It may not detect something that has never been seen, and a detection on the part of only one anti-virus engine could be a false positive, so take the results with a grain of salt.

FileZilla installerOnce you have decided to try an installer, pay close attention to the installation steps. If there are any kind of third-party “offers,” such as the “Yahoo! Search” offer shown at right, be extremely suspicious. In some cases, you can opt out of these special offers by unchecking boxes or clicking a “Skip” button, but this is unreliable. Some adware installers will still install things even if you try to opt out, but are more sneaky about it.

My personal recommendation, if you see that an installer wants to install something you don’t want, is to force-quit the installer immediately. (Press command-option-esc to open the Force Quit window, select the installer app, then click the Force Quit button.) Unfortunately, it may still be too late. In such cases, it would also be a good idea to scan your computer with AdwareMedic to be sure nothing sneaky was installed.

Of course, even better would be to restrict your downloads to Apple’s App Store. That’s certainly no guarantee of quality, but the sandboxing enforced on App Store apps at least provides assurance that you’ll be able to easily remove the app if it turns out to be bad. (Folks may object to this statement, based on previous news relating to vulnerabilities that could be exploited from App Store apps. However, Apple has fixed the issues with the App Store that allowed such apps to be approved in the first place.)

Tags: , , , , , ,

34 Comments

  • El Aura says:

    You forgot one thing: Subscribe to the RSS feed of The Safe Mac to be informed about ‘popular’ apps with known bad behaviour. 😉
    Seriously, I’ve learned about MPlayer’s shenanigans from your site.

    What I have always worried about is somebody hacking the web servers of small ‘hobby’ developers (which might not have updated their app(s) in a long time and might equally not put much work into their websites). If the malware author is careful and manages to stay under the radar, this is almost impossible to protect against. And if an application requires the entry of a an admin password during installation or when first run, this should be a warning sign but then there are many applications that need an admin password for legitimate reasons. Of course, if the malware author then deploys known malware on the end-user’s computer, anti-virus software there should be able to pick it up and anti-virus software running on the web server should also be able to pick things up.

    • Thomas says:

      The admin password isn’t really a good indicator. As you say, many programs – including my own AdwareMedic – will request it for legit purposes. In addition, many adware and malware programs don’t actually ask for an admin password, and content themselves with infecting just the current user account. In many cases, that current user account is the only account on the machine anyway.

  • Paul Collins says:

    What about MacUpdate? I’ve used it for many years to research and download software. Its a good tool for determining the quality of software from reviews. Although not as strict as the Mac App Store, it is a way to filter against malware. They accept advertising, but listings do not require payment. MacUpdate is nothing like the aggregators you mention. (full disclosure, I listed an app there 5 years ago).

    • Thomas says:

      MacUpdate seems to be fine. I’ve never heard of MacUpdate wrapping anyone’s software in adware installers. That doesn’t mean that it could never happen, but they do seem to be an exception to the “no download aggregation sites” rule.

      • goodinuf says:

        Also MacUpdate has developer links on its software pages.

      • Al Varnell says:

        And there are even some developers who use MacUpdate exclusively to distribute their software. When you go to the developer’s site and click on Download you end up on MacUpdate.

    • Sacha says:

      Yeah, I thought the same thing. I use MacUpdate all the time to take advantage of their great deals and bundles and I’ve never even heard of them installing malware. But I did a bit of research and it turns out there are some reports of MacUpdate distributing malware that steals BitCoins. I’m not sure how accurate the information is though. Check out the full article at http://www.antivirus-blog.com/news/mac-malware-distributed-via-download-com-macupdate-com/

      • Thomas says:

        That was simply a case of a hacker uploading trojans in the guise of legit apps, which anyone could do at any time. That doesn’t make MacUpdate complicit in the hacking.

  • ng says:

    I started questioning every piece of software that I download these days. Just a while ago, I installed VLC. That’s cool, no harm. But after reading some articles on your site, getting some insight not about anything but specifically about software incredibility, and doing some web search, I have been suspicious about the content I have been getting myself. I am not a big movies fan, I do not pirate them, but from time to time I get some from friends etc. And it hit me, the very same movie file I got, might be as well infected by some malicious code. My search showed me that injecting some code to a container like .mkv is hard yet not impossible. So, if there is a vulnerability in the player itself, there is a high chance that it might infect my mac too.
    The point is, it came to a point that there is too much data, too much variables. The only way to be really safe is the edge of paranoia.
    – Use programs that come with the original OS, AS MUCH AS POSSIBLE (instead of VLC, use Quicktime, yet it cannot play .mkv for instance)
    – Do not pirate (that goes without saying, but not enough)
    – Do not get files from people who pirate (so i must ask them “hey is this your rip from the original disc or pirated it)
    – Do not even log in to pirating sites
    Bottomline, do not rely on information coming from others.

    So.. I will listen to Paranoid by Black Sabbath and say that, life ain’t easy man.

    Cheers.

  • Mint says:

    If I installed Filezilla a long time ago, should I be worried? Also, any suggestions on replacements?

    • Thomas says:

      I wouldn’t be worried unless you have had adware-like symptoms. If you have, it would be worth checking for adware.

      As for FileZilla replacements, CyberDuck is a good one, or if you’re willing to spend some money, Transmit is truly excellent, and is the one I use for uploading to my own sites.

  • Anonymous says:

    One should look at the contents of a pkg installer before installing it. Installer->File->Show Files. While this doesn’t give you a good idea of what the installer does with its post install scripts, still, you can spot most issues (e.g., you can probably spot files that clearly belong to adware). A helpful QuickLook plugin is Suspicious Package. (brew cask install suspicious-package)

    • Anonymous says:

      By the way, here is the official website of Suspicious Package, if you don’t use brew cask: http://www.mothersruin.com/software/SuspiciousPackage. It also shows you the scripts, in case you want to read through, but usually inspecting the files are enough.

    • Thomas says:

      Not a bad suggestion, but it may be a bit beyond the average person.

      • Anonymous says:

        Well, the average person is also not suspicious of pkg installers downloaded from developer sites 😉 I think the point is that since we don’t install software everyday, it’s certainly worthwhile to spend a little bit of time enforcing the basic safety measures, if we are at all concerned about security. Reading filenames is not hard, and I suppose it does catch some malware (this is just a hypothesis, since I never actually inspected any malware-bearing packages; and I’m sure over time malware writers will get smarter).

      • Rtrfks says:

        I’ll run Suspicious Package on itself. Now that’s paranoia 🙂

  • Peter says:

    I ran Filezilla recently and it told me there was an update for it – the software checks and then gives me the option to download. I let it run before I saw your warning here. Is that likely to install something other than Filezilla, or is it just the update itself?

    The dmg file seems to only have 1 thing in it, the Filezilla app, but then I may not be looking at the right thing and making a wrong assumption.

    • Thomas says:

      I’m not actually sure what the update will do. However, I don’t trust the developers of FileZilla at this point, so would recommend jettisoning it in favor of an FTP client from a more ethical developer.

      • Peter says:

        Crikey! I’d hoped that because the update was a file and not an installer that I was in the clear. Thanks, Thomas, your site is one I’ve been following since I purchased my first Mac and it’s very helpful!

  • ng says:

    Regarding Filezilla.
    Sometime ago, I removed it by:
    1. Trashing the app under Applications
    2. Clearing the trash
    3. Finding the remnants of the app under ~/.config
    (There is a folder named filezilla which contains more data)
    4. rm -rf filezilla/

    But still.. Could there be any other hidden files in some other corners of my OS, not sure.. That is all I could find by now.

    Note: From the Filezilla developer(s) in the official site:
    “This installer may include bundled offers.”

    • Matthew says:

      If in doubt, you should do a scan with Thomas’ own AdwareMedic application: http://adwaremedic.com/index.php.

      • ng says:

        I do that regularly.
        @Thomas: I’ll get a bit off topic here. Do you really think it is possible to inject malicious code into movie containers like .mkv, considering the popularity of piracy and the software which runs it (like VLC, Gom etc.)?

        • Thomas says:

          Doing so would require exploiting a vulnerability in some movie player. That’s much harder than just tricking someone into downloading and installing a “movie player” app, or downloading and opening an app disguised as a .mkv file.

          • ng says:

            I thought so as well. But apparently it is still doable, the odds are there.
            Thanks Thomas.
            Cheers.
            ng

  • eric says:

    there was a comment about VLC.VLC is a awesome player and love it on my mac.please download VLC ONLY from the official site.the player is so popular that other sites bundle garbage with it.

    • Sacha says:

      Yeah, VLC is good. The official site is http://www.videolan.org/vlc/index.html

    • Baffled says:

      I’ll never understand how other people think. This entire page/entry is about how even if you ONLY download from the developer’s site (the “official site”), you’re NOT necessarily safe!

      You’re making the assumption that just because VLC Player was safe to download from the developer’s site in the past, it will be safe to download forever and ever and ever. Instead of telling people how VLC is awesome and they should go download it, and simply giving them the exact blanket advice that this article cautions against giving, you should tell people that you recommend VLC and it has a good reputation but anyone wishing to download it needs to pay close attention to what they’re installing, and research the app before installing it as this article suggests (because no software is immune and malware could be added at any time in any number of ways).

  • Garrett says:

    thank u so much for making AdwareMedic cuz it got rid of invisable files that i couldnt find with finder or my antivirus software thnx so much for this great software!!!

  • leftblank15 says:

    Like you pointed-out, before:
    Java may install adware. To try to turn the adware in Java “off”, you may have to check the last checkbox in its System Preferences pane .

    • Al Varnell says:

      That would certainly be possible, but it hasn’t occurred since the Flashback era in the Spring of 2012. I assume you are referring to disabling Java content in the browser, which is almost always a good idea? For current OS Xs that is done in the Java Control Panel’s Security tab and it’s the first checkbox there. It can also be controlled on a site by site basis in the Safari Preferences->Security->Plug-in Settings… button.

  • @elias says:

    To prevent third Party Offers in Java you should activate it in the Advanced Settings. See Link
    https://java.com/en/download/faq/disable_offers.xml

    • Al Varnell says:

      Ah yes, that old thing.
      Oracle suspended the program shortly after it started, but they could easily re-institute it at any time, so checking that box would be a good idea.

  • dr u says:

    Thomas, is the issue partially the fault of sourceforge?

    They have been taking open source projects & bundling them with adware just like the other download aggregator services. I have to wonder if it is because FileZilla appears to host downloads on Sourceforge.

This post is more than 90 days old and has been locked. No further comments are allowed.