The unchecked growth of Mac adware
Published August 18th, 2014 at 2:40 PM EDT , modified August 18th, 2014 at 9:02 PM EDT
Adware was unheard of on the Mac just a couple years ago. The first Mac adware appeared in 2012, and it was the only one to appear that year. Since then, adware has seen an exponential rise that promises to bring the Mac down to the same state as Windows, where adware infections are very common. Most people just want to know how to get rid of adware, but the questions we need to be asking are what is causing this sudden growth, and why is it being allowed to grow unchecked?
A brief history of adware
The first real adware to appear on the Mac was FkCodec (aka Codec-M), which appeared in early 2012. It was flagged as malware by security companies, because it pretended to be a video plug-in, but actually provided no such functionality. It was soon added to the XProtect anti-malware system built into Mac OS X, and quickly died out.
The next adware to appear did so in early 2013. It’s hard to put exact dates on the appearance of adware, as it tends to be around for a while before drawing the attention of the security community, but Yontoo and ChatZum both appeared in the spring, followed up throughout the rest of the year by Genieo, ClickAgent and Spigot. Softonic and Download.com began distributing some of this adware with some third-party software downloaded from their sites.
2014 has seen the appearance of many more new adware programs. Adware that I have seen includes Conduit, Downlite (aka VSearch), GoPhoto.it Savekeep, Jollywallet, VidX (aka MacVX), MacDeals and PalMall. Ads have also been injected into web pages by other software, which has another purpose other than advertising, such as Glims, avast! Online Security and Awesome Screenshot. Worse, there are numerous other clues I’ve come across regarding adware that I have yet to get my hands on, such as MacShop, MacSmart and a fake Photo Zoom. Keep in mind, we’ve still got more than four months to go until the end of the year, so there’s plenty of time for still more adware to appear.
Where does it come from?
As previously mentioned, some adware comes from bad download sites, like Softonic and Download.com. However, these days, the vast majority of adware seems to come from torrents, sites like Pirate Bay, and most of all, sites offering “free” video streaming. To put it more bluntly, most people at this time are getting infected with adware through acts of piracy.
This leaves me with some mixed feelings about helping people solve their adware problems. However, some people seem to truly not understand that what they’re doing is wrong, and some may still be getting their adware from sites that don’t involve illegal downloads. Further, adware serves as an admirable object lesson, and many have sworn off such activities altogether after learning the source of their adware problem. Thus, I feel it’s best to reserve judgement and simply try to help people.
Why is the problem getting worse?
Obviously, the people behind all this adware are having success making money from it. Advertisers are spending lots of money to put ads on your computer screen, and often they don’t understand exactly who they’re doing business with or how their online advertising is going to work. Unethical hackers also frequently take advantage of advertising networks, using tricks to put ads in front of users’ eyes in such a way that they get paid for it. Worst of all are the advertisers who don’t care how they advertise, like the makers of certain junk Mac utility apps which are often promoted through adware.
In any event, success breeds imitators, and there are many unethical hackers out there who are interested in making a quick buck. Since some adware has been able to thrive unimpeded for a year or two, the imitators are starting to reproduce rapidly.
However, no matter how successful these unethical practices have been, they could be cut short in an instant. Apple holds the keys, and they could lock these programs out in a heartbeat, in two ways. First, all the adware that has appeared recently is signed with a valid Apple Developer ID. This allows the software to run unimpeded on Mac OS X. Apple can revoke those Developer IDs, as it has done in the past with signed malware. This would cause the existing installers to fail entirely – Mac OS X will simply refuse to open an app that is signed with a revoked ID. Apple has not done this, however.
A second layer of protection can be created in the form of XProtect definitions. XProtect is the basic anti-malware protection built into recent versions of Mac OS X, and it can be easily updated by Apple to detect (and block) newly-appearing malware. Thus far, unfortunately, Apple has only added a small number of adware programs to XProtect’s definitions, none of them recent adware.
I have submitted many malware and adware samples to Apple’s Product Security team. When it comes to true malware, XProtect has usually been updated within a few days of my submissions, and Developer IDs have usually been revoked with similar promptness. They’re not always perfect (they are human, after all), but most of the time the response is quick.
Unfortunately, when it comes to adware, most of my submissions have never generated any kind of response. The only adware recognized by XProtect are FkCodec and two other vaguely-identified programs (called OSX.AdPlugin.i and OSX.AdPlugin2.i by XProtect), all which have been part of the XProtect definitions for a couple years. Clearly, Apple is making a conscious decision not to block these programs.
Why isn’t Apple taking action?
This is a question that is impossible to answer without engaging in speculation. It’s possible that Apple has some long-term solution coming. Mac OS X 10.9.5 is supposed to include some changes to Gatekeeper that will require all apps to be re-signed by their developers. It is possible that this will also bring changes that will make it easier to block adware, though of course I have absolutely no reason to believe this is the case.
It’s also possible that Apple simply doesn’t want to try to walk this line. The difference between adware and legitimate software can be an extremely fine line. Often, installers that contain adware will include a license agreement that clearly states what will be installed, with a check box to allow the user to opt out of installing the adware. In my opinion, this is not adequate reason to treat the software as legitimate, but Apple is in a much different position than I am, and may be trying to avoid lawsuits. After all, one adware company threatened to sue me over some of my articles about their product. When it comes to a company with as deep pockets as Apple’s, that threat could actually be carried out.
Apple’s product security team may also have a completely different view of adware than I do. It’s possible that they think this software is fine and that it’s not something they feel needs blocking.
Regardless of the reason, until Apple does something to block this adware, the problem will only continue to worsen. If you want Apple to take action, you should go to Apple’s Mac OS X feedback page and tell them how you feel.
What should I do in the meantime?
Avoiding adware is quite easy, if you’re careful about what you download.
- Never download anything from any kind of third-party download site, because like Softonic and Download.com, there may be an adware payload.
- Avoid “impulse downloads.” (In other words, don’t download some cool-sounding app you see an ad for without doing a little research first.)
- Only download apps directly from the developer’s site.
- Never engage in software or media piracy.
- Some torrents may be used for legitimate purposes, but I recommend avoiding torrents in general, since their primary use these days is piracy.
- Don’t go to questionable video streaming sites – get your video fix only from legit sources, such as iTunes, Amazon, Netflix, Hulu or the websites of the various TV networks and movie studios.
- Read the license agreement in any installer you run, and pay close attention to any mention of special offers. Even if there’s a check box to allow you to opt out of a special offer, quit the installer immediately and throw it away… such check boxes are not always respected, and you may get the adware or other junk software installed regardless of what the check box says.
One thing you absolutely should not do is install anti-virus software. Most anti-virus software won’t detect most adware, and even if it does, it won’t be able to properly remove it. I’ve seen plenty of people who have gotten adware despite having anti-virus software installed, and I’ve also seen plenty of people whose anti-virus software completely failed to remove the adware. In fact, in at least one recent case, the anti-virus software screwed up the removal so badly that the Mac wasn’t able to start up any longer. (This is a possible side-effect of the Genieo adware, if it is removed improperly.)
If you think that you have adware, try my Adware Removal Tool. I very much hope that Apple makes it obsolete sometime soon, but in the meantime, it should help you get rid of that pesky adware!