OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

MPlayerX adware behaving like malware!

Published May 11th, 2015 at 4:38 PM EDT , modified May 23rd, 2015 at 10:01 AM EDT

adware

MPlayerX has long been used as “bait” to convince people to run adware installers. Most of the time, MPlayerX is installed along with the adware to (somewhat) disguise the fact that anything else was installed. However, it now appears that the folks behind MPlayerX are definitely in on the scam. Worse, the installer is now displaying malware-like behavior, by trying to foil analysis!

Malware has used many tricks to foil analysis over the years. One such trick in the news right now is the Rombertik malware on Windows, which will erase files on the hard drive (including an attempt to damage system files) if it thinks it’s being tampered with.

A more common trick, though, is to simply act normal. Malware that detects that it is being run in a virtual machine, for example, will not display any malicious behaviors. This is done because malware researchers often run malware in a virtual machine, because this isolates the malware and makes it easy to store the system’s infected state for later reference or revert the system to a previous state.

MPlayerX adware installerA new MPlayerX installer, this time available directly from the MPlayerX website, is exhibiting exactly this behavior. When run on a “real” computer, the installer goes through a “Configure” phase in which it offers a Yahoo Search extension (adware), a copy of MacKeeper and a copy of ZipCloud. This is not particularly new, and has been described here before, although never with an installer downloaded directly from the MPlayerX site.

When run in a virtual system in Parallels, however, this installer skips over the Configure phase entirely! No adware or third-party junk software is offered or installed. The end result is that it behaves exactly like one would expect a normal MPlayerX installer to work… it just installs MPlayerX.

The adware that this app installs takes the form of a “Jeff Kekko” browser extension, supposedly made by someone named Jeffrey Kekkonen. The extension itself serves only to direct searches to a specific Yahoo Search BOSS address, as described for some nearly identical adware in InstallCore adware proliferates.

This malware-like behavior has been reported to Apple’s product security team. Hopefully they’ll be on it quickly and will block this installer through XProtect.

Tags: , ,

34 Comments

  • Patrick J. Mele says:

    Hi Thomas a quick question: is your “AdwareMedic” going to be updated to get rid of this issue until OSXs’ XProtect is updated in the next go around?

    • Thomas says:

      AdwareMedic already detects the adware installed by this app. However, it does not remove anything that isn’t actually malware, which includes the MPlayerX application. It also doesn’t do anything to prevent you from opening this installer.

    • Al Varnell says:

      I’ll let Thomas give you an exact answer, but I see that it was updated already today, presumably to include an additional Spigot browser extension. It’s important to understand that AdwareMedic does will not detect any of the Adware installers, only the files that they install. There are way too many of them and most also install legitimate software (e.g. MPlayerX). That’s the area that XProtect covers, keeping you from running malicious installers in the first place.

      But your best protection is to pay attention to what these installers are telling you. Almost all of them inform you of exactly what they will do and give you a way to opt-out.

  • Sacha says:

    What about the Mac App Store version

  • fetch says:

    Could you please post hash of the installer?

    Just downloaded a fresh installer and it runs fine inside my VM (offers adware and mackeeper). I want test your installer and look will it block my VM or it detects only some specific VMs.

    • Thomas says:

      The SHA256 for the Installer executable inside the install app is:

      0b9aebad93d68cb8d5dfe8ccaf1b878a3e79e43f57a1b914f36d1391cf7476af

      • fetch says:

        It’s interesting.

        I’ve found only one DMG file on VT that contains Installer you mentioned. All config files are encrypted, but I’ve managed to decrypt them.

        var offersInfo = {
        max_offers : 0,
        vmcs : {},
        cancels : [],
        offers : []
        };

        According to this info, this installer will never show you offers.

        I’ve checked the DMG file on my VM and real PC. It didn’t show any offers to me, neither did it install anything except MPlayerX application.

        Could you please specify the hash of the DMG file that you checked where the installer showed you some offers?

        • Thomas says:

          Sure, the SHA256 for the DMG file (named MPlayerX-1.0.22.1.dmg) is:

          8a62217ee4f9b373415197480e167864d01482d05ff71493b15fa79a0e0ded14

          It can be found on VirusTotal. I ran the MPlayerX app on this disk image on a few different Parallels VMs, and a couple real systems. In all VMs, it made no offers, skipping the Configuration phase. On both real systems, it made the offers.

          • fetch says:

            Finally, I’ve found it 🙂

            Installer has a list of 6 blacklisted MAC addresses that corresponds to VMWare, VBox and Parallels VMs. Also it performs some other checks.

            Thanks for pointing to this issue.

          • Thomas says:

            No problem, I’m glad for the confirmation!

            I figured it might be something to do with the UUID or MAC addresses. I don’t suppose you know of any tricks to prevent this issue, by changing the UUID and MAC addresses in Parallels?

  • U.N. Owen says:

    Dear Thomas:

    Wow – I don’t know if you posted this alert based on my email to you a few day prior about this, but, thanks for alerting others.

    I knew there was something truly despicable about this one – coming FROM the MplayerX site itself.

    I didn’t try to contact them, and ask ‘what are you doing this for (money, duh), but, to do this from your own site – and then do everything you/it can to obfuscate what it is, what it will try to do?!?

    Wrong-o.

    Again, thanks form an admirer.

    • Thomas says:

      I actually had several messages, including yours, about this issue. I don’t know when it started, but based on that, I’d guess pretty recently!

  • Bryna Lee says:

    I am confused. ESET cyber security detected the mplayerx but didn’t remove it. I googled and found your site as a way to get rid of the mplayer (which I think is the cause of lots of redirects to ad pages) but I understand from this thread that AdwareMedic does not remove it. What is really puzzling to me is that I don’t see mplayer in my applications folder, so I don’t see how to get rid of it. Would you please point me in the right direction?

    • Thomas says:

      MPlayerX is not the cause of the ads and redirects, it was just the carrier of adware. If you haven’t already done so, try AdwareMedic to get rid of the adware. If you already have tried that, see:

      http://www.adwaremedic.com/kb/unsolved.php

    • Candice T. says:

      I installed MPlayerX before I read this article. At the time of install I knew enough to decline all the adware in the installer. So I have MPlayerX installed but it is *not* in my Applications folder. I’d like to erase all traces of MPlayerX now that I know the full story but I can’t trash it if it’s not in my Applications folder.

      I tried using AppCleaner but it doesn’t see MPlayerX. A spotlight search for the app finds nothing. All I can find are a couple of bundle files in:
      User / Library / Application Support / MPlayerX / bundles /

      However, when I right click on an .avi file and select Open With, MPlayerX is an option. So the MPlayerX app is somewhere on my system, but where?

  • Tom says:

    I think Avast for Mac does.

    • Jim says:

      Hi Thomas,

      I installed MPlayerX some time ago and was completely unaware of this adware issue.

      Unfortunately they are quite well aware that a great many people don’t take the precaution of checking what’s in the installer documentation and just speedily click the necessary boxes.

      Fortunately full system scans of my mac’s HD with Intego’s Virus Barrier and your truly excellent AdwareMedic have NOT detected anything at all of this nature, So I guess I have been very lucky to dodge this one.

      This company simply can’t be trusted by mac users any more. Their conduct has been truly despicable with them taking measures to encrypt and obfuscate the nasty stuff and avoid detection when installed on a virtual system and violating our trust in them.

      It of course goes without saying NONE of their software will ever be installed on my mac again.

      Thanks to Thomas Reed for your very informative website and excellent tech advice, Please keep up the good work and keeping us all informed about these dangers.

  • Alisa says:

    Straight from MPlayerX’s blog:

    “The other thing is that, MPlayerX will start to utilize the installer to fulfil monetization. I knew it may bring many negative comments, but honestly it is the best way to keep the developer motivated. For anyone who cares about this, please check the installer and make sure only install MPX, then it should be no difference with the old way.”

    So at least the developer is honest about this change.

    • Jim says:

      Hi Alisa,

      How on earth can you say the developer is being honest about the change.

      The very plain and simple facts are that this company has taken quite deliberate to measures to encrypt the coding to obfuscate this adware so only people with professional expertise would have any knowledge of the capabilities of this nasty crap.

      They have even gone so far as to try and conceal this even when installed on virtual machines.

      This company is very clearly abusing the trust of mac users in the full knowledge that many people simply don’t take the time to go through all the very lengthy user agreements and legal jargon that you get presented with upon the installation of software.

      Hopefully this indeed will be a lesson for all mac users to only install apps from the mac store or approved software developers.

      When this does get more publicity I do indeed hope this company finds itself receiving a viscious storm of complaints from mac users for their quite despicable conduct.

      If the developer of this product truly wants further monetization this can be achieved by politely requesting donations or perhaps charging a small fee for the MPlayerX app.

      The simple fact is that deliberately violating the trust of mac users will only serve to permanently drive people away from this developer and all of their products.

      If as you state that it may bring many negative comments,
      well then they had better be well prepared for the oncoming storm of protests and batten down the hatches.

      This software developer has quite clearly made a deliberate choice to use these reprehensible underhanded tactics.

      So be it on their own heads when they have to suffer the consequences of violating the trust of mac users.

      This

  • Mira says:

    Thank you very much for this. It’s my first time with malware / adware on a Mac and I was very grateful to be able to find the solution easily through you. Unfortunately my web developer gave me something to download and I was told that I had to download MPlayerX also. I saw Mackeeper was bundled with it, but I tried to deselect it. Whatever happened, all I got was adware. It is heartwarming to know you are spending your time fixing problems like this. Thank you!

    • U.N. Owen says:

      That’s what it is doing – even if you read the ‘fine print’ and DE-select the macKeeper, it will STILL attempt to install.

      The best bet, is the simplest; STAY AWAY from MPlayerX.

      • fetch says:

        >> even if you read the ‘fine print’ and DE-select the macKeeper, it will STILL attempt to install.
        No, it doesn’t. You will not get anything except MPlayerX if you carefully skip all offers.

  • John M says:

    Best way to avoid this would be to use VLC media player and Handbrake instead of MPlayerX. I’ve seen users bring tons of adware infected Macs to my help desk, only because they couldn’t open a video in an obscure format, so they installer MPlayerX. While Adware Medic solves the adware infestations, VLC seems to be more honest and reputable, and never has bundled adware. Yes, it is not very battery efficient, but it is better to support the reputable company.

    • fetch says:

      You are wrong. It does not really matter which application you download. Important thing is _where_ you download it. For example, I’ve just got an VLC media player sample with InstasllCore inside (the same thing that is being discussed in this blog post).

      • Thomas says:

        That’s definitely true. Location is important, and pretty much any software could be infected with adware (or worse) when downloaded from the wrong place. However, MPlayerX seems to be compromised even directly from the developer, so in my opinion, it simply can’t be trusted no matter where you get it from. VLC is a good (I’d say better) alternative, but you must obtain it from a good source, such as the official site:

        http://www.videolan.org/vlc/download-macosx.html

        • Jim says:

          Hi Thomas,

          I do agree with you that VLC is a good media player,
          But unfortunately it’s not so easy to use for those who don’t have any experience with it.

          You have to a lot of digging around in the preferences or on their wiki to figure out how to get it to do many things.

          So do you or anyone else have any suggestions for a free or low cost media player which is easy to use and can handle just about anything you throw at it with plenty of features.

        • Al Varnell says:

          I was able to locate the latest version on the developer’s SourceForge site. It’s a zip file that only includes the Application and did not install anything extra for me.

          Caution1 This link will immediately download the file:

          downloads.sourceforge.net/project/mplayerx-osx/MPlayerX-1.0.22.1.zip

          Once you have it installed, any more updates will be handled by the Sparkle update system so you should never have to download the installer or zip file again.

          • Thomas says:

            The problem is, there’s a .dmg file sitting right next to that one in the same directory that contains the troublesome installer. That makes me extremely leery of trusting anything made by that developer, and I do not recommend downloading MPlayerX in any form, even if you can get it without the obnoxious installer. If the developer is unethical enough to package it inside an installer that tries to dodge analysis, who knows what’s going on inside the app’s code itself! (It may be open-source, but I doubt anyone has done a security audit of the code or verified that the distributed app matches the publicly-available code.)

          • Unknown Alien Visitor says:

            Biggest problem being, is that MPlayer works great, even better than VLC from experience, and there is not really a big competition out there for these two. Good call Al Varnell on the zip file (by default the website redirects you to the 1.x Mb installer DMG instead of a good ‘ol zip, but obviously you can easily just browse the project’s files).
            Now Thomas it would be great to publish some alternative players then than VLC, like i said, from experience MPlayerX is better (works every time VLC doesn’t and so on).

  • XTC says:

    So, to clarify, MPlayerX itself is okay. Its delivery is just wrapped in a steaming pile of s**t.
    I’m setting up my Casper management to hunt down and destroy a number of things like ZipCloud, MacKeeper and so forth, and wondering if MPlayerX itself should be on the list, but my reading is that it sounds like it’s a perfectly fine app in isolation.

    • Thomas says:

      No, I wouldn’t trust the MPlayerX app at all. When the developer himself decides to put adware in the installer, the software itself should no longer be considered trustworthy.

  • JD says:

    PLEASE HELP. How can I get it off my computer? I’m not a caveman, but I don’t know much about coding. I just want it off my computer and it won’t let me delete it. I have mid 2014 iMac w/ OSX Yosemite V.10.10.4 Any help is much obliged. Thank you.

This post is more than 90 days old and has been locked. No further comments are allowed.