Mac adware menace continues
Published April 7th, 2014 at 7:05 PM EST , modified April 8th, 2014 at 5:12 AM EST
Over the last couple months, I’ve seen an explosion in reports of adware infections. Just in the last four days, I have seen at least a couple dozen reports of GoPhoto infections alone. The threat of adware, a problem for Windows users for years, appears to be coming into its own on the Mac. Today, I found an adware installer that seems to be the epitome of the adware menace.
This adware was found through a FirstRow Sports site. This is the same site where I found a similar adware installer back in November of last year. On selecting a video stream, I was redirected to a very shady site:
The banner at the top of the screen looks real enough, so I clicked on it, as many users would. This resulted in the download of an application, named Mac_installer.app, with a generic Apple installer package icon. The extension, of course, was hidden to make it look more like an installer.
Running the installer brought up a generic license agreement, displayed in a window mimicking the official Apple installer:
As you can see, this seems to be an installer for something called Gophoto.it, and it also has checkboxes to agree to install Dynamicpricer and Jollywallet. Clicking Continue without making any changes caused a window to appear and disappear quickly (which, it turns out, was a separate included installer for what is being called Dynamicpricer), then the second “page” of the “installer” is shown:
This time, you’re asked to approve installation of Genieo, and clicking Continue here results in the Genieo installer opening, prompting the user to install Java, etc. The Genieo installation is the least interesting part here, as it is behaving exactly as Genieo has been behaving for some time.
At this point, once installation is done and the “installer” app quits, the test system has been quite thoroughly infected with adware. It had no less than four different adware programs installed, one of which was completely new to me. One of these was Genieo, as mentioned. Two others were Jollywallet and VSearch, aka DownLite, which is being called Dynamicpricer here.
Jollywallet is fairly straightforward. It seems to just consist of a Safari extension, which is easily removed by the user through Safari’s preferences. It even provides an uninstaller… if the user can find it, though that’s unlikely, since the disk image containing the installer and uninstaller is buried in an invisible temporary folder.
VSearch – or DownLite, or Dynamicpricer, or whatever name it seems to go by – installs a number of background processes that are hidden away where the average user isn’t likely to find them, and does not include an easy-to-remove browser extension.
Worst of all was GoPhoto, the adware that had a sudden upswing in infections several days ago. This adware consisted of the usual GoPhoto.it browser extension, installed into all three browsers: Safari, Chrome and Firefox. It is easily removed from both Safari and Chrome, but in Firefox it pulls some additional tricks that make it harder to eradicate.
What this code does I still have no idea, but you can bet it’s nothing good. It’s tucked away in a place that most users would never even think to look, and will remain there even after the user manages to successfully remove the GoPhoto.it extension.
As usual, these kinds of scams can be easily avoided by exercising caution online. If something seems to good to be true, it probably is. If something is being offered for free when other people pay for it, it’s almost certainly a scam, or worse. This kind of adware is also very commonly encountered when downloading illegal material from torrents or sites like Pirate Bay, so avoid such things not only because they are illegal and unethical, but also because they can harm your computer.
I keep pestering Apple’s product security folks about these things, and have submitted a copy of this adware installer and a description of its behavior to them. Hopefully, they will eventually decide to start blocking adware like this, in the same way they block malware with XProtect.
To remove these things, and other adware, see my Adware Removal Guide.