OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

The unchecked growth of Mac adware

Published August 18th, 2014 at 2:40 PM EST , modified August 18th, 2014 at 9:02 PM EST

Adware was unheard of on the Mac just a couple years ago. The first Mac adware appeared in 2012, and it was the only one to appear that year. Since then, adware has seen an exponential rise that promises to bring the Mac down to the same state as Windows, where adware infections are very common. Most people just want to know how to get rid of adware, but the questions we need to be asking are what is causing this sudden growth, and why is it being allowed to grow unchecked?

A brief history of adware

The first real adware to appear on the Mac was FkCodec (aka Codec-M), which appeared in early 2012. It was flagged as malware by security companies, because it pretended to be a video plug-in, but actually provided no such functionality. It was soon added to the XProtect anti-malware system built into Mac OS X, and quickly died out.

The next adware to appear did so in early 2013. It’s hard to put exact dates on the appearance of adware, as it tends to be around for a while before drawing the attention of the security community, but Yontoo and ChatZum both appeared in the spring, followed up throughout the rest of the year by Genieo, ClickAgent and Spigot. Softonic and Download.com began distributing some of this adware with some third-party software downloaded from their sites.

2014 has seen the appearance of many more new adware programs. Adware that I have seen includes Conduit, Downlite (aka VSearch), GoPhoto.it Savekeep, Jollywallet, VidX (aka MacVX), MacDeals and PalMall. Ads have also been injected into web pages by other software, which has another purpose other than advertising, such as Glims, avast! Online Security and Awesome Screenshot. Worse, there are numerous other clues I’ve come across regarding adware that I have yet to get my hands on, such as MacShop, MacSmart and a fake Photo Zoom. Keep in mind, we’ve still got more than four months to go until the end of the year, so there’s plenty of time for still more adware to appear.

Where does it come from?

As previously mentioned, some adware comes from bad download sites, like Softonic and Download.com. However, these days, the vast majority of adware seems to come from torrents, sites like Pirate Bay, and most of all, sites offering “free” video streaming. To put it more bluntly, most people at this time are getting infected with adware through acts of piracy.

This leaves me with some mixed feelings about helping people solve their adware problems. However, some people seem to truly not understand that what they’re doing is wrong, and some may still be getting their adware from sites that don’t involve illegal downloads. Further, adware serves as an admirable object lesson, and many have sworn off such activities altogether after learning the source of their adware problem. Thus, I feel it’s best to reserve judgement and simply try to help people.

Why is the problem getting worse?

Obviously, the people behind all this adware are having success making money from it. Advertisers are spending lots of money to put ads on your computer screen, and often they don’t understand exactly who they’re doing business with or how their online advertising is going to work. Unethical hackers also frequently take advantage of advertising networks, using tricks to put ads in front of users’ eyes in such a way that they get paid for it. Worst of all are the advertisers who don’t care how they advertise, like the makers of certain junk Mac utility apps which are often promoted through adware.

In any event, success breeds imitators, and there are many unethical hackers out there who are interested in making a quick buck. Since some adware has been able to thrive unimpeded for a year or two, the imitators are starting to reproduce rapidly.

However, no matter how successful these unethical practices have been, they could be cut short in an instant. Apple holds the keys, and they could lock these programs out in a heartbeat, in two ways. First, all the adware that has appeared recently is signed with a valid Apple Developer ID. This allows the software to run unimpeded on Mac OS X. Apple can revoke those Developer IDs, as it has done in the past with signed malware. This would cause the existing installers to fail entirely – Mac OS X will simply refuse to open an app that is signed with a revoked ID. Apple has not done this, however.

A second layer of protection can be created in the form of XProtect definitions. XProtect is the basic anti-malware protection built into recent versions of Mac OS X, and it can be easily updated by Apple to detect (and block) newly-appearing malware. Thus far, unfortunately, Apple has only added a small number of adware programs to XProtect’s definitions, none of them recent adware.

I have submitted many malware and adware samples to Apple’s Product Security team. When it comes to true malware, XProtect has usually been updated within a few days of my submissions, and Developer IDs have usually been revoked with similar promptness. They’re not always perfect (they are human, after all), but most of the time the response is quick.

Unfortunately, when it comes to adware, most of my submissions have never generated any kind of response. The only adware recognized by XProtect are FkCodec and two other vaguely-identified programs (called OSX.AdPlugin.i and OSX.AdPlugin2.i by XProtect), all which have been part of the XProtect definitions for a couple years. Clearly, Apple is making a conscious decision not to block these programs.

Why isn’t Apple taking action?

This is a question that is impossible to answer without engaging in speculation. It’s possible that Apple has some long-term solution coming. Mac OS X 10.9.5 is supposed to include some changes to Gatekeeper that will require all apps to be re-signed by their developers. It is possible that this will also bring changes that will make it easier to block adware, though of course I have absolutely no reason to believe this is the case.

It’s also possible that Apple simply doesn’t want to try to walk this line. The difference between adware and legitimate software can be an extremely fine line. Often, installers that contain adware will include a license agreement that clearly states what will be installed, with a check box to allow the user to opt out of installing the adware. In my opinion, this is not adequate reason to treat the software as legitimate, but Apple is in a much different position than I am, and may be trying to avoid lawsuits. After all, one adware company threatened to sue me over some of my articles about their product. When it comes to a company with as deep pockets as Apple’s, that threat could actually be carried out.

Apple’s product security team may also have a completely different view of adware than I do. It’s possible that they think this software is fine and that it’s not something they feel needs blocking.

Regardless of the reason, until Apple does something to block this adware, the problem will only continue to worsen. If you want Apple to take action, you should go to Apple’s Mac OS X feedback page and tell them how you feel.

What should I do in the meantime?

Avoiding adware is quite easy, if you’re careful about what you download.

  • Never download anything from any kind of third-party download site, because like Softonic and Download.com, there may be an adware payload.
  • Avoid “impulse downloads.” (In other words, don’t download some cool-sounding app you see an ad for without doing a little research first.)
  • Only download apps directly from the developer’s site.
  • Never engage in software or media piracy.
  • Some torrents may be used for legitimate purposes, but I recommend avoiding torrents in general, since their primary use these days is piracy.
  • Don’t go to questionable video streaming sites – get your video fix only from legit sources, such as iTunes, Amazon, Netflix, Hulu or the websites of the various TV networks and movie studios.
  • Read the license agreement in any installer you run, and pay close attention to any mention of special offers. Even if there’s a check box to allow you to opt out of a special offer, quit the installer immediately and throw it away… such check boxes are not always respected, and you may get the adware or other junk software installed regardless of what the check box says.

One thing you absolutely should not do is install anti-virus software. Most anti-virus software won’t detect most adware, and even if it does, it won’t be able to properly remove it. I’ve seen plenty of people who have gotten adware despite having anti-virus software installed, and I’ve also seen plenty of people whose anti-virus software completely failed to remove the adware. In fact, in at least one recent case, the anti-virus software screwed up the removal so badly that the Mac wasn’t able to start up any longer. (This is a possible side-effect of the Genieo adware, if it is removed improperly.)

If you think that you have adware, try my Adware Removal Tool. I very much hope that Apple makes it obsolete sometime soon, but in the meantime, it should help you get rid of that pesky adware!

Tags: , , ,

58 Comments

  • D Jacobs says:

    I installed Norton for Mac some time ago. What’s the problem?

    • Thomas says:

      I’m not sure I understand the question. I will comment that Norton is quite a poor choice on the Mac, and is well-known for causing all manner of performance and stability problems. But I’m not sure how that relates to the topic of Mac adware.

    • @elias says:

      Please have a look here: http://support.apple.com/kb/HT5290?viewlocale=en_EN

      The Problem with some Antivirus for Mac based on Windows causes many problems especially they need privileged rights to work properly. Most of the AV’s take down the performance an it’s build-In cleaning tools can damage your system.

      If you need one have an look to Eset’s Cybersecurity or Sophos Antivirus for free.

      • Thomas says:

        Please note that, as this article points out, anti-virus software is not decent protection against adware, nor will it reliably remove adware (if at all). Do not install anti-virus software expecting it to protect against or remove adware, or you will be sorely disappointed.

  • daire says:

    so are we using anti-virus or not? i sense a tone

    • Thomas says:

      You definitely should not be using anti-virus software as a means for protecting against adware. For that purpose, it’s not useful. For more general info about whether anti-virus software is useful, see my Mac Malware Guide.

  • Meghan says:

    Thank you so much for your TSM Adware Removal Tool. I’ve been searching for something to find my virus for weeks and your software worked within 2 minutes. Appreciate your help!

  • Tri says:

    Thomas, thank you so much. It really works.

  • Marco Cappagli says:

    Thank you so much!!

  • Husam says:

    Seriously buddy : Thank you for not judging. What a nice paragraph.
    “This leaves me with some mixed feelings about helping people solve their adware problems. However, some people seem to truly not understand that what they’re doing is wrong, and some may still be getting their adware from sites that don’t involve illegal downloads. Further, adware serves as an admirable object lesson, and many have sworn off such activities altogether after learning the source of their adware problem. Thus, I feel it’s best to reserve judgement and simply try to help people”

  • Ian MacGregor says:

    Your tips under “What should I do in the meantime?” are great.. I have been following these common-sense tips for years and haven’t had any problems. Thank you for this article.

  • Kage says:

    Thank you! Script worked wonderfully!

  • Maxim Nikolaev says:

    Thank you for this topic, interesting information. I think Apple can manage it, because they are in a better position then microsoft… UNIX.

  • MacUser says:

    Not sure what good it will do, but I followed your advice and submitted feedback. I had no idea what to select for the required drop-down under “Feedback Type” – nothing seems to fit. I ended up going with “Design/Ease of Use” since I’m not reporting a bug, and it has nothing to do with compatibility, connectivity or configurability. That left only 2 choices, the other being “Efficiency/Workflow.” However, the form limited what I could type – looks like a 1000 character limit!

    Here is what I said:
    “PLEASE start protecting Mac users against adware! Add the definitions to XProtect or create something new! You could clearly distinguish it from other forms of malware if the concern is about being sued or something, and always give users the option to install the adware, and make this easier to do. The pop-up window altering users could contain less serious wording and wouldn’t say anything like “this will harm your computer”.

    Please start being responsible and proactive and provide protection to your users, most of whom have absolutely NO experience dealing with adware, especially since you have repeatedly told them for years they don’t need any sort of anti-malware app and “Macs don’t get viruses” which most think means “Macs don’t get malware”.
    Show that you still care.”

  • Dennis says:

    So glad to have found this site, the Ad Removal Tool worked perfectly. I was careless about clicking on a message that appeared legit, telling me that I needed to update Flash (it simulated the Flash logo) and … after much aggravation, I’ve learned a good lesson. The Safe Mac to the rescue!

  • Raquel says:

    Before I found this website I was going crazy(almost installed Mavericks from scratch to deal with this problem)
    Going throught the Library made me realize that I had the adware about a month ago.
    This site is the best way of having a safe mac 😀
    Thank you so much for your help and dedication!

  • TJK says:

    This version worked great! The only explanation for Apple’s laissez-faire approach must be that adware problems are good for their support business. Trying to figure out Apple’s objective beyond profits is pure alchemy. Like the products but hate the corporation.

    • Thomas says:

      I seriously doubt Apple makes any money on support; they probably take a loss there, like most tech companies. Whatever reasons they have for not blocking the adware, it’s definitely not that!

  • Jennifer says:

    Thank you, thank you, thank you for your time and dedication to your site. Your Adware Removal Tool did an excellent job cleaning up the mess I accidentally downloaded. Thank you for paying it forward!

  • Bill says:

    Thank you so much…Adware removal tool worked like a charm. So thankful to you!!!!! I now will be visiting this site to gain a bit of your info and tips!

  • Patrick J. Mele says:

    Hi Tomas another Thank you for the Adware removal tool I recently downloaded and used. I’m back to feeling like I have control of my Mac again,Im using ClaimXav from the Mac App Store only to check files for Malware, Do you recomend me using it regularly with daily updates? Also are these URL site checkers such as Sucuri and Virus Total worth using? Thanks in advance.

    • Thomas says:

      You can use the Adware Removal Tool regularly if you like – it won’t hurt anything. However, if you’re not actually having adware symptoms, there’s not much reason to do so.

      As for things like Sucuri and VirusTotal… I’ve seen them call a site clean that I knew was acting maliciously, and I’ve seen them call a site malicious that definitely wasn’t. So those are unreliable tools. However, you can certainly use them to check out questionable sites if you like. I’d also recommend the user-driven WOT (Web Of Trust). It’s also not perfect, but can be useful, and has a free browser add-on for every major browser.

    • Al says:

      There’s a new site checker I just read about this evening. It probably won’t tell you whether it’s malicious or not, but it will give you detailed information about how it’s built, who it belongs to and what it uses to advertise and gather statistical information. http://builtwith.com/

  • Alberto says:

    Muchas gracias
    Me funcionò perfectamente para eliminar molestas paginas que se abrian solas entre otras el molestisimo MacKeeper

  • Robin Minkler says:

    Thanks soooo very much for your TSM Adware Removal Tool! When the pop-ups were happening heavily, I was about to start ripping my hair out! I used your program, and now I’m an ad-free, happy camper again! The world needs more folks like you!

  • Tadhg says:

    Thomas, you Legend!!
    Thank you very much for your ad removal tool, you’ve stopped some heartbreak. Hope you’re having a great day 🙂

  • Maria Carter says:

    Adware removal is really necessary for Mac OS X. Right now, I am using a app that hide my system files by just a single click.

    • Thomas says:

      I’m not sure how the app that hides system files is related to the topic of adware. If you are using it with the belief that this protects you against adware, you should be aware that this is not the case.

  • Alex Langshur says:

    Thomas,

    Many, many thanks for this tool and your work. I intend to socialize your site widely within my community. My story is similar: an errant click resulted in a Softonic install that led to a browser hijack (example: all my searches redirected through Bing) and other many irritants. The TSM tool worked like a charm and I feel I have my Mac back. Good stuff!

  • Connie says:

    Bless your heart, Thomas!

    I would like to know if using Adblock plus is advisable in conjunction with WOT and TSM Adware Removal Tool as well?

    The Safe Mac is my official favorite mac site!

    • Thomas says:

      WOT is good, provided you don’t assume that it is always 100% correct. AdBlock won’t protect against adware… it’s solely for use blocking legit ads that are supposed to be present on a site.

  • Jay says:

    Adware removal tools worked extremely well, thanks so much. Now the things that I’m doing on-line instead of work take less time, making me more productive!

  • tim says:

    is the adware removal tool able to delete adware from reduxmedia?

    • Thomas says:

      That’s not one I’m familiar with, but note that the sites that the ads are being served from often have nothing at all to do with the name of the adware program responsible for inserting the ads. Try the Adware Removal Tool and see what it does.

  • Brydon says:

    greetings
    I have tried your TSM Adware Removal Tool, but it wants an update first. I clicked yes … it did nothing. I thought it did it covertly, so I tried it again, still nothing. I would like to use this tool … can you help me get it to work please ?

  • JC says:

    Thanks to MacIssues mentioning your site, I think I’ve now eliminated the cause of some PopBehind ads. I’d already found the “SafePrices” setting in avast! I just admitted to be using avast!, of course! :blush:

    I installed avast! several months ago and the only results have been extra (but at least temporary) wasted space on every new web page and eventually the annoying “SafePrice” banner. I’ve yet to see any indication of the app finding any malware. I don’t think avast! originally had the “SafePrice” code. But I am wondering if one of its updates also included the adware I found (MacVX) with your ART script? At any rate, I think I will simply uninstall avast! matey! LOL!

  • Andy says:

    I have been suffering with iphoto on my mac for weeks, bombarding me with unwanted junk. In the space of a few seconds with your removal tool it has gone. Top man, I can’t thank you enough.

  • Veronica C. says:

    THANK YOU!!!! THANK YOU!!!! THANK YOU!! Your Removal Tool worked like a charm. THANK YOU!!!

  • Tony says:

    I have spent my entire day off with mackeeper pop ups, reloading entire operating system, and 10 hours of research could not rid this bug. You program found “downlite”, which caused all the problems, thank you so much.

  • ahmo says:

    Yes, another THANK YOU!! THANK YOU!!

    Dr. Web Lite had found and deleted a handful of items, but was unable to delete Trojan.com.Vsearch7. I now see that my recently aquired adware was from my sole attempt to download something via torrent. It was an item I could find no other source for. Needless to say, I wont be looking further. But I’m happy to now understand that’s where it came from. Your little beauty seems to have solved my troubles in moments. 🙂

  • CY says:

    I have used your script and it did cut down on my pop ups – thank you! But I’m still getting one called compsecureweb.biz and it’s especially frustrating because I have to reset my Mac to get it off Safari – no way to just close the pop-up. Is this something you will be able to add to your script to get off my Mac sometime? Thanks!!!

  • Régis says:

    Merci infiniment pour votre Outil de suppression de l’Adware ! Utiliser Safari était devenu un vrai cauchemar : apparition de pop-up pornographiques et liens ne fonctionnant plus. Grâce à vous et en seulement quelques minutes mon Mac est comme neuf !
    Merci, merci, merci !!!

  • Bob Wood says:

    I just picked up two viruses, OSX/VSearch-A and OSX/VSearch-D. I’m running OSX v.10.9.2 and Firefox 31.0. Can you help ?

  • Shelagh McNally says:

    Thank you for this information. I sent you a donation. I ran all the usual software and nothing stopped the problem except your fix. Thanks for being an Internet Hero!!

  • lindafulponi says:

    i followed your instructions and it worked!.. i was going mad trying to do any work!!
    thanks

  • AmyR says:

    Hurray! Your program found gophotoit and genio and removed it in about 1 minute! Was about to take computer in for repair!

  • Nicole Newling says:

    Thank you, thank you ,thank you! I was so frustrated trying to find a way to get rid of this. My kids streamed a movie on my mac a couple of months ago and it’s been a nightmare ever since. Such a relief!

  • RickP says:

    The Adware Removal Tool is excellent !!! Thank you Thomas!!

  • Promise says:

    ThANKS ALOT THE ADWARE TOOL WORKED PERFECTLY

  • Valerie Brooks says:

    I have floods of cookies, they stop youtube from streaming…in a few minutes I can easily have 90 cookies and counting. I have to hand delete them. I paid for the cookies software for mac and it did nothing. I sent email and they told me to do this and that, I already did, they gave me simple instructions, their cookies program never worked and once in a while it works for no reason on firefox….it shows cookies, never the same cookies in preferences and never deleting on Cookies program simulataneously deletes on Safari cookies, at the same time. I have no idea if the cookies are really deleted or they make something up but hand deleting on Safari cookies restarts the program, not COOKIES program which doesn’t work at all. I think the programs are great pretenders in a number of way. I can watch another 10 minutes of videos IF I delete 60 cookies every 5 minutes. So I download youtube videos and that worked…then that stopped working, they won’t even download now without deleting by hand constantly….any links that solves cookies for real please let me know but please don’t sell me Cookies or Safari cookies, I already purchased for nothing.

  • Sam Ziegler says:

    Your guide to removing adware was excellent! I was able to follow your instructions really easily. I was a little weary to use the AdwareMedic but I figured I’d give it a shot, since you seemed pretty credible. It totally cleared up my problem with random ads and tabs popping up. I have never been more impressed with a help site before. Thank you so much Thomas!! 🙂

  • Charles says:

    Perhaps this is an attempt to fight piracy. Apple has close relationships/deals with media creators. Since this junk comes from the world of piracy, it’s in Apple’s interest to not remove this crap. Seems like a logical conspiracy.

    Ok. I’ll take off my tinfoil hat now.

  • Pablo says:

    Thanks for ART. best! greetings from uruguay

  • U.N. Owen says:

    It blows my mind – the ‘camps’ of people responding here are either of the mindset ‘I got (fill-in-the-blank AV software), so, I’m fine,’ or, it’s Apple’s fault for not doing more(?) to protect !!??!!) me.’

    Just like in every day life, I’ve sadly seen people taking less RESPONSIBILITY for their own lives positive & negative.

    You got bad software NOT for ANY other reason than something YOU did, and – if you are a person who’s been to a site like ths, and (supposedly) is informed about what lurks out there, and STILL manages to get munged up, it’s not only STILL ur fault, but, you’re a BIGGER idiot than one who hasn’t (had the brains, or desire) to check out sites like ths.

    In all my years (only on Macs) – since good ole’ System 7 (ah!), I’ve only TWICE ever had something ‘bad’ on my computer (a ‘Genieo’ and a ‘Spigot’) ”cos I wasn’t paying attention.

    I am a person who – I know my way around Macs quite well, and I have ClamXav running (just to make me ‘happy’), but, I kno it’s inevitably up to ME.

    I use Little Snitch to prevent communications to/from certain sites which throws a wrench in those things – not getting on me, but, communicating, which is how they make $, as well as to keep my eye on what is talking to who.

    I’m far frm perfect – I may go to places where these nefarious things lurk, but, those 2 times – I am to blame.

    Just like a driver not watching where he’s going, it’s MY job.

    The rule everyone should live by is no matter how good, etc, one is at any given subject, NEVER – EVER – feel ‘invincible.’

    It’s when one feels’ bupkis can go wrong,’ that their guard’s down, and something WILL happen, so, yes – I may play a little ‘on the wild side,’ but, I NEVER – EVER assume’ all’s ok.

    As the great Felix Unger said; ‘when one ASSUMES,’ you make an ‘ASS’ out of ‘U’ & ‘ME.’

This post is more than 90 days old and has been locked. No further comments are allowed.