Is downloading from the developer’s site safe?
Published June 29th, 2015 at 9:16 AM EDT , modified June 29th, 2015 at 9:18 AM EDT
You should only download software directly from the site of the developer who created the software. This has been a bit of standard advice given by security people like myself when trying to help people understand what to download and what not to download. It’s good advice, right? Well… mostly, but not entirely, unfortunately.
In general, this is still good advice. If you want to download Adobe Flash Player, for example, you should only download it from Adobe’s web site. You should avoid download aggregation sites (sites that try to gather lots of software downloads in one place), such as CNET’s Download.com and Softonic, which may wrap other people’s software in adware installers. You should never download from piracy sites (like PirateBay) or illegal torrents, which are not only illegal and unethical, but are also like playing a game of Russian Roulette with your computer.
But can we necessarily trust software simply because it comes directly from the developer’s site? Unfortunately, the answer is no. Consider, for example, the case of the formerly popular FTP client FileZilla. The official FileZilla download, from the official FileZilla site, has been known to install adware for some time. Last month, FileZilla was installing the junkware app MacKeeper and a variant of the InstallCore adware. Currently, it installs MacKeeper along with the infamous PremierOpinion spyware.
FileZilla, unfortunately, is not alone. For example, at one point, the Avast anti-virus software included an adware component that was turned on by default. Fans of the MPlayerX video player have to contend with an official installer that installs adware and junkware. The popular torrent apps µTorrent and Vuze currently install the Spigot adware. The music library organization app TuneUp, which has been implicated in the installation of adware in the past, is currently also installing Spigot. All of these are merely examples of apps downloaded directly from the developer’s site that are installing adware or junkware payloads.
So, how is the average person to know what is safe to download and what is not? Unfortunately, it’s becoming harder to do. The advice to restrict yourself to downloading only from the developer’s site is still good, but it’s important to keep in mind that not all developers are trustworthy. Some developers are increasingly turning to adware as a means for earning money from free software, and this not always limited to small-time developers.
First, research the app you want to download carefully. If you do some Googling for the app’s name plus the word “adware,” or the word “malware,” you’ll probably have a good chance of turning up any reports of issues if there are any. You’ll need to pay careful attention, though, since a search for “Adobe Flash Player malware” will turn up countless results, but those issues are mostly related to malware imitating Flash, not the official Flash download from Adobe.
If you don’t turn up any reports of problems, start with the download from the official site, but pay close attention to what you have downloaded. An app that installs by simply dragging it to the Applications folder is probably more trustworthy than one that requires an installer, though that’s certainly not a hard-and-fast rule. One that requires an installer is less trustworthy, because an installer may put adware or junkware on your system, but of course not all installers are bad.
Another thing that you can do to check an installer is to submit the .dmg or .zip file downloaded from the developer’s site to VirusTotal. If it’s known adware or malware, one or more of the anti-virus engines used by VirusTotal will flag it as such. Of course, VirusTotal is far from foolproof. It may not detect something that has never been seen, and a detection on the part of only one anti-virus engine could be a false positive, so take the results with a grain of salt.
Once you have decided to try an installer, pay close attention to the installation steps. If there are any kind of third-party “offers,” such as the “Yahoo! Search” offer shown at right, be extremely suspicious. In some cases, you can opt out of these special offers by unchecking boxes or clicking a “Skip” button, but this is unreliable. Some adware installers will still install things even if you try to opt out, but are more sneaky about it.
My personal recommendation, if you see that an installer wants to install something you don’t want, is to force-quit the installer immediately. (Press command-option-esc to open the Force Quit window, select the installer app, then click the Force Quit button.) Unfortunately, it may still be too late. In such cases, it would also be a good idea to scan your computer with AdwareMedic to be sure nothing sneaky was installed.
Of course, even better would be to restrict your downloads to Apple’s App Store. That’s certainly no guarantee of quality, but the sandboxing enforced on App Store apps at least provides assurance that you’ll be able to easily remove the app if it turns out to be bad. (Folks may object to this statement, based on previous news relating to vulnerabilities that could be exploited from App Store apps. However, Apple has fixed the issues with the App Store that allowed such apps to be approved in the first place.)