MPlayerX adware behaving like malware!
Published May 11th, 2015 at 4:38 PM EST , modified May 23rd, 2015 at 10:01 AM EST
MPlayerX has long been used as “bait” to convince people to run adware installers. Most of the time, MPlayerX is installed along with the adware to (somewhat) disguise the fact that anything else was installed. However, it now appears that the folks behind MPlayerX are definitely in on the scam. Worse, the installer is now displaying malware-like behavior, by trying to foil analysis!
Malware has used many tricks to foil analysis over the years. One such trick in the news right now is the Rombertik malware on Windows, which will erase files on the hard drive (including an attempt to damage system files) if it thinks it’s being tampered with.
A more common trick, though, is to simply act normal. Malware that detects that it is being run in a virtual machine, for example, will not display any malicious behaviors. This is done because malware researchers often run malware in a virtual machine, because this isolates the malware and makes it easy to store the system’s infected state for later reference or revert the system to a previous state.
A new MPlayerX installer, this time available directly from the MPlayerX website, is exhibiting exactly this behavior. When run on a “real” computer, the installer goes through a “Configure” phase in which it offers a Yahoo Search extension (adware), a copy of MacKeeper and a copy of ZipCloud. This is not particularly new, and has been described here before, although never with an installer downloaded directly from the MPlayerX site.
When run in a virtual system in Parallels, however, this installer skips over the Configure phase entirely! No adware or third-party junk software is offered or installed. The end result is that it behaves exactly like one would expect a normal MPlayerX installer to work… it just installs MPlayerX.
The adware that this app installs takes the form of a “Jeff Kekko” browser extension, supposedly made by someone named Jeffrey Kekkonen. The extension itself serves only to direct searches to a specific Yahoo Search BOSS address, as described for some nearly identical adware in InstallCore adware proliferates.
This malware-like behavior has been reported to Apple’s product security team. Hopefully they’ll be on it quickly and will block this installer through XProtect.