InstallCore adware proliferates
Published April 8th, 2015 at 11:42 AM EDT , modified May 23rd, 2015 at 9:58 AM EDT
InstallCore is adware that began with a couple simple browser extensions. (One of these took the same name as a Spigot extension, “Searchme”, leaving questions about whether InstallCore might be related to Spigot in some way or whether this is purely coincidence.) Recently, however, new variants of InstallCore have been appearing like poop on a lawn full of geese. And some of the strategies it’s using stink just as badly!
Back in February, a colleague from a security company brought my attention to a fake Adobe Flash Player installer that was installing adware. The adware it installed for me looked like the familiar Searchme component of Spigot, albeit with very different code internally than the older Spigot extension. However, this resulted in some confusion and miscommunication between us, and it finally turned out that he was getting an extension called “searchtab,” with the same code as my “Searchme” extension.
It turns out that this installer behaved differently based on location. In the US, it installed Searchme. For my friend in France, it installed searchtab. Otherwise, the behavior was the same.
Then, last weekend, when checking the latest adware-riddled Softonic installer (see Continue to boycott Softonic), I found that it currently installs a Safari extension named jbsearch. Examining the code for this extension, it turns out to be the same as the latest Searchme and searchtab extensions.
In addition, earlier variants of this adware in its Searchme/searchtab form tended to be accompanied by a Firefox extension called Set Search Settings. This extension, however, was a major fail, as it was installed into a “staged” folder in Firefox’s extensions folder, which meant it never became active and was deleted by Firefox next time it opened. This latest Softonic installer, dropping the jbsearch Safari extension, also improperly installed this Set Search Settings extension in Firefox in exactly the same way.
Then, yesterday, someone tipped me off to being redirected to a web page that was reporting that Safari was out-of-date on his computer. The page itself was down before I could see it, but he had the presence of mind to send me the installer that was downloaded from this site. The resulting installer tries to look like a Safari installer, but not too hard… it’s a pretty poor imitation, as the installer icon doesn’t look anything like any installer Apple has ever used.
On running the installer, which is actually an application rather than a file made to be opened with Apple’s own Installer app, a window will appear imitating the Apple installer. This window strongly suggests that it will be installing Safari, which it absolutely does not do.
If you click the Continue button, the second step of the process requires you to accept changing your homepage to Yahoo and the installation of a “Search-Assist extension.” Of course, the actual extension is called nothing of the sort. In addition, although the agreement claims in one spot to install the extension in Safari, Chrome and Firefox, only Safari is actually affected. There’s no sign of any Chrome extension, and as with previous versions of this adware, the Firefox extension is a flop.
It’s also worth noting that this makes it look an awful lot like Yahoo is responsible for this adware. In reality, though, there’s no evidence that Yahoo is involved, and I strongly doubt that they would be. This is undoubtedly an abuse of their “Search BOSS” program which allows people to create their own custom search page and get a portion of the ad revenue generated through that page.
The “installer” then proceeds to ask you if you want to install the junkware apps MacKeeper and ZipCloud – neither of which should be used, of course. Accepting these offers allows the installer to proceed to completion.
The end result was the installation of yet another new variant of InstallCore, called “mtsearch.” Based on the recent pattern (jbsearch and mtsearch), I’d guess that there may be many other “XXsearch” variants of InstallCore out there.
Examining the code for all of these recent InstallCore extensions shows that they change the search URL to a Yahoo URL ending in:
The “hspart” and “hsimp” parts appear to be used for identification of the scammers behind the adware, so that Yahoo knows who to pay a share of the ad revenue, which is the end goal of these kinds of scams.
Interestingly, upon completion, the installer had one last trick up its sleeve. It opened Safari to a page claiming that both Java and Flash were required. Clicking either install button redirected to another page saying that something called “Media Player HD” was required to continue. Clicking the Install button there resulted in the download of an adware-infected MPlayerX installer, which installed a fairly typical variant of the Downlite (aka VSearch) adware.
All this is interesting to techies, but how does it help normal Mac users? Because this is an excellent illustration of the kinds of scams that exist these days. The scams used in this case all involved telling the user that something was outdated and needed updating in order to see whatever it was that the user was looking for. Other scams may tell you that you have a virus, or “junk files,” in order to try to scare you into installing whatever they’re pushing.
In any case, if some web page appears with promises or scary threats to entice you into installing something, close it immediately. If anything is downloaded automatically, don’t install it; throw it in the trash instead.
This has been reported to Apple, along with samples of the installer and adware, and I plan to try to report the offending URL to Yahoo as well.
If you have been affected by something like this, see my Adware Removal Guide for help getting rid of it.
Saturday, May 23, 2015 @ 10:00 am EST: As I’ve been continuing to analyze recent samples of this adware, I’m less convinced that this is a variant of the older Spigot adware. I’m not ruling out some kind of unknown connection between Spigot and InstallCore, but to avoid confusion, I’m now referring to these extensions by the InstallCore name being used by the rest of the security industry.