We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Serious MacKeeper vulnerability found

Published May 9th, 2015 at 7:21 AM EDT , modified May 9th, 2015 at 7:21 AM EDT

I have long advised against using MacKeeper for a variety of reasons (some of which can be found in Ongoing MacKeeper fraud). However, now there’s a new reason to avoid MacKeeper: it has been found to contain a serious vulnerability that can lead to remote code execution through the use of a malicious URL. In non-tech-speak, a hacker can create a link that will, if clicked, result in MacKeeper executing code embedded within the link! Such code could do things like wiping your hard drive clean, uploading data to a remote server, or downloading and installing malware.

This is a very serious issue, and now that a proof-of-concept has been published, users of MacKeeper are at high risk of attack. No malicious MacKeeper URLs have yet been spotted in the wild, but hackers have the blueprints now, so it’s undoubtedly just a matter of time.

The attack is quite simple, unfortunately. Take a look at the proof-of-concept (PoC) URL released by Braden Thomas:


This PoC will execute the following command:

rm -rf /Applications/;pkill -9 -a MacKeeper

One may wonder who in their right minds would click on a link looking like that. However, in Mr. Thomas’ tweet containing the PoC, this URL was hidden behind a shortened URL. Such link shortening can easily be used to disguise a maliciously-crafted link, and has proven to be an effective method for tricking people into clicking on links that they otherwise would not.

Those who have MacKeeper installed have a new, and very serious, reason to remove the software as soon as possible! To do so, follow the instructions on Phil Stokes’ page on removing MacKeeper, or use his DetectX app to find and remove all components of MacKeeper automatically.

Tags: ,


  • Nicholas Ptacek says:

    For more technical details, see our original advisory, published on May 7th: One thing to note is that a new version of MacKeeper has been released to address the vulnerability, but users are obviously at risk until they update.

    Nicholas Ptacek

  • James says:

    Very very sneaky! I already tell everyone to get rid of it because its garbage, but now there’s an even bigger reason.

  • Sacha says:

    This application is certainly weird! Maybe they are working with other malware companies?

  • Phil Stokes says:

    It’s worth emphasizing that the proof-of-concept that Braden Thomas posted doesn’t actually uninstall MacKeeper, as is being claimed on some other sites running this story (eg MacNN).

    The rm -rf terminal command only deletes the App bundle from the /Applications folder, and does not remove other active processes belonging to MacKeeper.

  • Shanti says:

    I think MacKeeper had been the culprit of my Mac’s performance. Thanks to this article, I’ve just got rid of it. Though Phil probably won’t approve of my method (I used Clean My Mac). Their uninstaller feature seems to do the job, just not let it loose on cleaning the wider scope. Else, App cleaner might be an option to help get rid of it?

    • Thomas says:

      No kind of general-purpose uninstaller should be used for uninstalling anything. They generally don’t do a very good job with anything that actually requires an uninstaller, and can sometimes remove things they shouldn’t. See:

      How to uninstall software

    • Phil Stokes says:

      You’re right, Shanti. I don’t approve. :p

      These apps tend to use the targeted app’s bundle identifier to base their searches on. I’m sure Thomas has gone into details somewhere as to why that’s not such a great idea.

      In MacKeeper’s case, there’s at least one file I know of that does not use any identifying terms from the bundle identifier and which will almost certainly still be on your system. See my web page for details, or use the updated versions of either DetectX (1.1) or FastTasks 2 (v1.65) to check.

  • Ofelia says:

    Wow! Has this post really been up for five days without words from a ZeoSh*t rep? Or am I missing something?

  • XTC says:

    MacKeeper is, and shall ever remain, nuke-on-sight in my Casper system. Right alongside CleanMyMac, TuneupMyMac, CleanMyDrive, K9-MacOptimizer and a bunch of others.
    You install it, I delete it. You try to run it, I kill it before it even opens.
    To my users who find this frustrating, annoying and disappointing: you’re welcome.

  • Justinm says:

    Hey Thomas, Now Mackeeper should officially be added as a removal option in adware medic! 🙂

  • Rebecca says:

    Thank you so much for this information! We inadvertently installed some things and have been trying to get rid of them. Thanks to the adwaremedic and detectX we are getting rid of the other files. There is one file that DetectX keeps finding, but I can’t locate it, even when I click the show button. It brings up the folder, but the file is not there. The file is .3FAD0F65-FC6E-4889-B975-B96CBF807B78. Has anyone else run across this? If so, how do I get rid of this file it keeps finding or is it something I shouldn’t worry about?

    • Richard says:

      It’s a hidden file Rebecca. Enable “show all files” and search for it, then delete it.

      • Rebecca says:

        Richard, sorry to seem like an idiot here, but it doesn’t seem to be an option. Finder opens and under the menu word Finder there are words “show all”, buy they are greyed out and not an option to choose. I looked under preferences and didn’t see anything there either. I looked under each menu item and didn’t find it. Where else do I look?

  • Dave says:

    On your Adwaremedic Related junk apps you say that MacKeeper is a scam app, made by an unethical developer, that should never be used. Do you have any real proof that MacKeeper is actually scamming people other than links to your own articles? Just asking?

    • Thomas says:

      See Ongoing MacKeeper fraud for full details on what I’ve observed with regard to MacKeeper over the years. The majority of it is independently verifiable.

      If you don’t want to see links to my own pages, how about a link to a story about the recently-settled class-action lawsuit against the makers of MacKeeper?

      • Dave says:

        I am just being the devil’s advocate and could care less either way. I read your Ongoing MacKeeper fraud article and personally feel like it has no real substance or facts. Some guy saw some suspicious reviews, and someone registered a website with sketchy details, you decide what is ethical and write an article? There was never any proof that ZeoBIT was connected to anything other than ads that make everyone angry.

        I am not defending MacKeeper, if you say they are a scam than that is your business, but it does make me laugh that you fail to connect the dots in any logical way. Why are they scammers? I hate their ads and would not use the software, buy why are they scammers? Even the PCWorld reference you posted says “will put $2 million into a fund to reimburse customers but admit no fault”. Where is the scam?

        • Thomas says:

          You don’t find issue with the fact that it will find thousands of files in need of removal, and categorize the system’s state as “serious,” on a fresh, clean Mac OS X installation only minutes old? That alone makes it a scam, even if you don’t want to listen to the rest of the points I bring up.

        • Al Varnell says:

          I don’t think you will ever find a company admitting fault in any class action suit. It’s a way of reaching a compromise agreement between the two sides.

          The basis of the suit is described as:
          “According to the complaint filed in US District court, “Once installed, MacKeeper prompts the user to conduct a diagnostic scan,” the MacKeeper class action lawsuit says. “This scan purportedly detects errors that lead to the problems identified in ZeoBIT’s marketing materials (i.e., performance issues, security and privacy threats)—problems that MacKeeper is supposedly designed to fix.” However, the ZeoBIT class action lawsuit alleges that after the diagnostic scan is completed, MacKeeper reports that it identified thousands of issues that cause the computer to be in “critical” condition. While the trial version of MacKeeper purports to “fix” a limited number of the issues, customers are encouraged to purchase a full, registered version of the security software to fully repair the computer. Yencha alleges that neither the free trial nor the full versions of MacKeeper perform reliable diagnostic testing of the computer. “Instead, ZeoBIT intentionally designed MacKeeper to invariably and ominously report that a user’s Mac needs repair and is at-risk due to harmful (but fabricated) errors, privacy threats, and other computer problems, regardless of the computer’s actual condition,” the class action lawsuit alleges.”

          Does that not meet your definition of a scam?

          And their advertising that alleges they have scanned your computer and found critical issues that must be fixed immediately? Such things are complete fabrications as that cannot be done from the Internet.

          Better Business Bureau give ZeoBIT an “F” rating.

  • Tatiana says:

    A few years ago I installed the Mc Keeper software I saw that it actually slowed my computer down so I uninstalled it which by the way was very difficult to do and I’m not quite sure I did it right. Now a couple of days ago when I opened a new browser window I got a message saying that the last site I had visited had injected a critical virus in my system and that I could delete such danger by using mc Keeper so I demised it as advertising, a couple of days later, same thing. Now my drive genius software is telling me my hard drive appears to be in critical condition. I’m clueless at to what to do next, please advice. I’m graphic designer and need computer to work.

    • Thomas says:

      The pop-ups saying your Mac has been infected are scams. Your Mac isn’t really infected. See:

      Tech support scam pop-ups

      As for the issue with Drive Genius, that’s an unrelated issue. I don’t use Drive Genius, so I’m not sure what it might be alerting you to, but you will need to back up all your data immediately. One possibility is that your hard drive could be failing.

This post is more than 90 days old and has been locked. No further comments are allowed.