Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!
Posted on May 23rd, 2014 at 8:55 PM EDT
Something called Vidx has been teasing me for a little while now, with some tantalizing hints but no concrete leads. Today, one of my colleagues pointed me to a website where it can be downloaded. I’ve spent quite a bit of time playing with it today, and it isn’t much different from other adware, except for one particular trick.
The site itself clearly advertises the software as a video plugin, with the implication that it can play popular formats such as DivX, WMV and AAC. In reality, it provides no such functionality. The download does not actually install any internet plugins, which typically provide such functionality. Just to be sure, I tried loading some videos both with and without the Vidx software installed, and there was no difference between the two.
Downloading and installing is quick and easy. The installer requires no license agreements or user interaction… which also means there’s no chance to change your mind after you tell Mac OS X to allow the app to open.
The app installs a copy of itself in the Applications folder (which does nothing other than install the software again), as well as browser extensions in Safari, Firefox and Chrome. Interestingly, when I installed it the first time, it did not actually install the Safari extension. It could be found on my system, downloaded into a hidden temporary folder alongside the components of the Firefox and Chrome extensions, but it was not actually installed. Running the Vidx app in the Applications folder installed the Safari extension.
Two different Safari extensions were seen, although they appeared to be identical once installed. One file was called Vidx.safariextz, while the other was simply called extension.safariextz. (The latter has also been teasing me for a couple months, as I’ve seen reports of this suspiciously-named file being on people’s Macs, but had never gotten concrete details until now.)
Oddly, each time the installer runs, another copy of the extension is added to Firefox and Chrome. Each time, the extension is given a name that is a slight variation on the Vidx name. At left, some (though not all by any means) of those variations can be seen installed in Firefox, after running the Vidx app seven times. This may not seem like a realistic scenario, but keep in mind that the app doesn’t appear to do anything, and it would not be uncommon for someone to try opening it multiple times, not being sure why it didn’t appear to open.
The only reason I can think of for this behavior is to make automated removal difficult. If the name is different each time, it makes it harder for any kind of automated script or app, such as my own Adware Removal Tool, to remove it from the system.
If you have fallen for this scam, you should remove it immediately. Remove any browser extensions named anything similar to Vidx, and if you see a Vidx app in your Applications folder, throw it in the trash. For more information, see the Vidx page of my Adware Removal Guide, or use my Adware Removal Tool to delete all the components automatically.
If you have a Web of Trust account, you can help to get this site flagged as malicious by rating the site here: