Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!
Posted on July 6th, 2014 at 8:45 AM EDT
A reader brought a new piece of adware to my attention last week, called MacDeals. This adware appears to be fairly simple, consisting of nothing more than Chrome and Firefox extensions. More interesting than the adware (which I have added to my Adware Removal Tool) is the distribution method.
This adware is distributed through the datafilehost file sharing site. This site appears to allow you to upload files, then give people links to this file so they can download it. (I see no capacity for searching the site… downloads appear to be by referral with a hard link only.)
I uploaded a small test file, called “untitled text.txt”, and then tried to use the link to download the file. Note, as shown at right, the checkbox offering a download manager.
Clicking the Download button resulted in a file named “untitled text.dmg” being downloaded. This disk image file contained an application named “Downloader” with a datafilehost logo. Opening that application revealed something looking like an installer, offering first to download the file, then offering to install MacDeals (with no opt out options).
MacDeals ends up being installed in Firefox and/or Chrome (depending on which you have installed). There appears to be no corresponding Safari extension that gets installed, and no files appear to be installed elsewhere on the computer. Interestingly, these extensions already appear to be identified as a variety of different malware/adware programs on VirusTotal. (See the results for the MacDeals Chrome extension and the MacDeals Firefox extension.)
In addition to installing MacDeals, the downloader also created a file named “untitled test.txt” on my desktop. One would imagine that this file would be the original file that I uploaded. One would be wrong. The file ended up being an HTML file, not containing anything from the single short line of text that uploaded file had originally contained. A .zip file downloaded in the same manner suffered the same unpleasant fate. None of the downloads from this scam site appear to be functional.
It would appear that the entire purpose of this site is to distribute adware. Unfortunately, this isn’t particularly unusual these days. Most file sharing sites – which are mostly used for illegal purposes, such as software piracy – are actively involved in the distribution of adware, or even malware. As such, stealing software or other media (music, movies, etc) has become an extremely hazardous pastime. I strongly advise avoiding such activities entirely – if not for reasons involving ethics, for your own safety!