We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Is downloading from the developer’s site safe?

Posted on June 29th, 2015 at 9:16 AM EDT

You should only download software directly from the site of the developer who created the software. This has been a bit of standard advice given by security people like myself when trying to help people understand what to download and what not to download. It’s good advice, right? Well… mostly, but not entirely, unfortunately.
Read the rest of this entry »


Genieo changing its name?

Posted on June 19th, 2015 at 9:19 AM EDT

Earlier this month, I wrote about how new variants of the Genieo adware are proliferating. Now, however, it looks like Genieo may be changing its name. A new site, for an app called InKeepr, appears to be poised to take Genieo’s place, perhaps because of all the negative name recognition now associated with the Genieo name.
Read the rest of this entry »


Genieo adware proliferating

Posted on June 7th, 2015 at 9:00 AM EDT

In recent months, several new variants of the Genieo adware have crossed my path. This adware is still pulling many of the same tricks – changing the search engine to Bing, and installing all kinds of junk that runs in the background and modifies browser behavior. However, it’s now using a variety of different names, perhaps in an attempt to make detection more difficult.
Read the rest of this entry »


Time to boycott SourceForge?

Posted on May 30th, 2015 at 9:35 AM EDT

On Wednesday, ArsTechnica reported that the Windows version of the open-source GIMP image editing app hosted on SourceForge has been “seized” by SourceForge and used for distributing adware. This is a troubling development, but not exactly surprising for those who have been following the antics of SourceForge lately. Is it time to boycott SourceForge, as is already recommended for sites like and Softonic?
Read the rest of this entry »


MPlayerX adware behaving like malware!

Posted on May 11th, 2015 at 4:38 PM EDT

MPlayerX has long been used as “bait” to convince people to run adware installers. Most of the time, MPlayerX is installed along with the adware to (somewhat) disguise the fact that anything else was installed. However, it now appears that the folks behind MPlayerX are definitely in on the scam. Worse, the installer is now displaying malware-like behavior, by trying to foil analysis!
Read the rest of this entry »


Chinese networks redirecting to

Posted on April 28th, 2015 at 1:18 PM EDT

A couple days ago, I got an e-mail message from someone who was having trouble with being redirected to frequently. We fruitlessly explored a number of possibilities, including adware, hacked sites and hacked wireless routers. As more reports have surfaced over the intervening period, though, it looks like this is a problem that only people connected to networks in China are experiencing.
Read the rest of this entry »


InstallCore adware proliferates

Posted on April 8th, 2015 at 11:42 AM EDT

InstallCore is adware that began with a couple simple browser extensions. (One of these took the same name as a Spigot extension, “Searchme”, leaving questions about whether InstallCore might be related to Spigot in some way or whether this is purely coincidence.) Recently, however, new variants of InstallCore have been appearing like poop on a lawn full of geese. And some of the strategies it’s using stink just as badly!
Read the rest of this entry »


Java now installing adware

Posted on March 4th, 2015 at 11:34 AM EST

Rich Trouton, a Mac systems administrator who runs the Der Flounder blog, discovered yesterday that a Java installer is installing adware, in the form of the Ask Toolbar. (He first wrote about it on JAMF Nation, but has published additional information in his Der Flounder post today.) Fortunately, in the course of trying to duplicate his findings, it appears that this installer is a bit finicky, and may not always install the toolbar properly.
Read the rest of this entry »


Apple cracks down on adware

Posted on February 13th, 2015 at 7:25 AM EST

Apple has used the XProtect anti-malware protection in Mac OS X to block a few pieces of adware in the past. Yesterday, they cracked down on adware again, adding a slew of new items to XProtect’s signatures, used for identifying and blocking malicious apps. Three are updated signatures, while one is for adware never before blocked by XProtect.
Read the rest of this entry »


OpinionSpy is back!

Posted on February 9th, 2015 at 8:08 PM EST

OpinionSpy first appeared in 2010, installed along with a number of screensavers made by a company named 7art, as well as a few other applications. OpinionSpy – officially called PremierOpinion by its developers – was spyware disguised as marketing software. It was described by Intego at the time, who attributed to it the ability to capture data from the infected Mac as well as from the network it connected to, as well as having backdoor functionality.
Read the rest of this entry »