How to install adware

Preface

The purpose of this User Tip is not to serve as instructions for installing malware. Clearly no one wants to do that, but intrusive and annoying adware has emerged as an increasing threat to one's Internet activity.

While most websites contain advertisements resulting in some income for the site owners hosting them, "adware" has become accepted to mean automatically generated advertisements specifically intended to generate revenue for their authors. That doesn't sound so bad, but particularly loathsome adware creators use deception to accomplish that goal, resulting in users being gulled into installing modifications that alter their desired Internet browser configuration. No reasonable computer user would intentionally install those modifications, because they can cause one's routine activity and site navigation to become nearly impossible.

Recognizing and avoiding adware is simple, but there are plenty of people new to the Mac whose prior experience with Windows PCs may have inured them to taking thoughtless actions that aren't prudent on any computing platform.

This User Tip is intended to educate anyone unfamiliar with "adware" and its effects.

It describes the following:

• how this user managed to intentionally install certain popular adware,
• the many "red flags" that should serve to prevent inadvertent installation of adware - if only a user would pay attention to them,
• the implications of agreeing to onerous and incomprehensible "terms and conditions" that precede and accompany adware,
• how OS X attempts to protect the user from performing actions that are not prudent,
• methods to eradicate adware, should a user find it to have been installed.

It has the following significant limitation:

Adware is a constantly evolving threat. Its appearance, the means by which it is distributed and installed, the resulting effects on a Mac, and methods for its prevention and eradication are always changing. Therefore, this User Tip will be outdated the moment it appears.

Despite this limitation I hope this document serves as a general resource to educate Mac users regarding adware, which is a persistent annoyance likely to remain with us for some time, unless Apple decides to completely prevent system modifications as they do with iOS devices. iOS is the future of mobile computing, and OS X is sure to follow. Until then, the only defense against the threat of adware is its recognition and avoidance.

Does this look familiar?

1. Typical Genieo popup

What about this?

2. Typical VSearch popup

Did you request a video player? No, the page spontaneously appeared. Red flag!

The dialog bearing a familiar icon attempts to convince the user through a simple browser detection query that it's legitimate, but the above is a warning that you really ought to determine just what it is you are accepting and installing before clicking the "Accept and Install" button. Spontaneously appearing popups like this should be expected when visiting lowbrow websites, but even allegedly respectable ones are not immune. You didn't ask for the popup to appear, and that alone should prompt you to simply close the window and move on.

Suppose however you aren't sophisticated enough to recognize that, nor are you motivated to read pages of onerous terms and conditions, and simply click the "install" button. What happens next?

In case you weren't observant enough to notice the above obnoxious popups, an even more intrusive "Recommended" dialog with an OK button wistfully floats down from the top of your screen, obscuring the text behind it. Something should tell you that it's being a bit too aggressive, but let's say you click OK anyway. What could possibly happen?

An installation file downloads to your Mac, that's what:

3. "EXE" file instructions

An "EXE" file, ok. Red flag #2: .exe files don't run on Macs.

The downloaded MPlayerX.dmg was located after a brief search. Why is the window titled "InstallOptimizer" though? According to the initial web page, it was supposed to be a "Video Player". Red flag #3.

4. Bogus "MPlayerX" installer

This is where your Mac's built-in protections step in to warn you of the possibility of doing something potentially harmful.

OS X's Gatekeeper presents the following dialog:

5. Gatekeeper dialog

Red flag #4: If you ever see the above dialog box, it should be taken seriously and not indiscriminately dismissed. Read the information it contains - it is designed to help you determine if the application is legitimate, or not. Certain adware even includes explicit instructions for circumventing this basic Mac security feature!

This dialog box presents a choice for you to make:

• Clicking Cancel at this point will definitively break the chain of events leading to misery.
• Clicking Open implies you are aware that a box containing something potentially untrustworthy is about to be opened.

So what is it going to be... red pill, or blue pill?

NB: You have not yet installed anything on your Mac that will cause any harm.

The red pill sounds a lot more interesting, right? So let's click Open, and find out just how deep this rabbit hole goes:

6. InstallOptimizer / DynamicPricer Agreement

Oh good, yet more legal terms, license agreements, and privacy policies. And what is DynamicPricer? Who cares, it's free! Now give me my Video Player!

By the way, the green "checkbox" in the above is not a selection, it just looks like one. Red flags 5 & 6.

Let's take a brief time out to discuss the implications of agreeing to those terms.

• If the hapless user had read even a few words of the LEGAL INFORMATION that preceded it, most likely he or she would have bailed out well before this point. To summarize it though, those Agreements indemnify the distributors of this particular piece of junk - who happen to be conveniently located in various countries throughout the world, none of them your own - of all conceivable responsibility whatsoever including crashes, data loss, and every possible or impossible result of using their software.
• In other words, by agreeing to install it, you accepted the consequences, however dire, that may result. At an extreme this can include losing all the information contained on your Mac and uploading all of it to a terrorist organization or organized crime syndicate that will use it to empty your bank account and assume your identity. Next thing you know Federal law enforcement serves a no-knock warrant in your place of residence at 4 AM and drags you out in handcuffs in front of your awakened neighbors. That's an extreme, remote possibility, but it is conceivable, and it has happened. You agreed to all of it by accepting the "I agree" language, while the adware authors sleep soundly in their beds - wherever they are.

Previous adware variants were often helpfully identified by the names they used, such as Conduit, Downlite, Genieo, VSearch and many others. Their particular names really aren't important though... adware creators are constantly changing them in a desperate effort to escape their well-earned reputations. Remember this key point from the preface of this document: deception is an instrumental part of their business plan.

Interpreting adware's typically mangled attempts at legal terminology should be sufficient to scare anyone away from installing it. This is an educational exercise though, so let's continue and click Next.

Things get a bit more interesting at this point. The next window that appears is the following:

7. "Conduit" Agreement

More terms, conditions, and privacy policies? I wonder where in the world their distributors might be this time? And what is "Conduit Setup"? Is that like "DynamicPricer" too? All I wanted was a video player!

In any event, you can, at this point, opt out of the annoyingly intrusive Conduit adware by de-selecting the checkbox. What you cannot do is quit the installer.

If you made it this far you could - and should - force-quit the installer if you cannot quit normally, but if you were to click the Decline button above, guess what happens? The installer proceeds anyway. Do you think that's a red flag too? I've lost count of them.

Still, OS X is protecting you, or trying, but there is only so much it will do to protect Mac users from themselves.

The next dialog box is asking for the keys to your digital kingdom - your Administrator's user name and password. It is yet another opportunity to break the chain of events leading to misery:

8. OS X Authentication Dialog

Once again you have a choice:

• You can click Cancel, after which the installer cannot proceed.
• Clicking Install Software allows this potentially harmful system modification to take over your Mac to do whatever it pleases:

9. Lightspark Player progress bar

-1591547136% and still "downloading". Red flag?

10. InstallOptimizer completion dialog

The software was installed... "succesfully". Insert eye-roll smiley.

What the heck just happened?

For one, Safari just quit. No big deal, let's open it.

At first, everything seems OK. Your previously opened windows reopen and all seems well. The moment you try to perform an Internet search though, all sorts of things get messed up. Crazy windows and tabs start opening to sites you didn't ask for, seemingly taking you to every sordid corner of the Internet except where want to go. Your Home page may have been reset. No cookies are blocked, whereas you are pretty sure you blocked them in the past. Weird extensions may have been installed, or ones you routinely use turned off. Strange popups occur when moving your cursor over green underlined text. More green "Download Now" buttons for all sorts of stuff appear all over the place (for some reason these knuckeheads seem to favor green). Many of them offer "free" Apple technical support which - surprise! - is neither free nor from Apple.

In a final insult, even more persistent offers to upgrade your video player appear. I thought that's where we started.

In short your Mac acts as though it's been possessed by evil spirits, and it's nearly impossible to use.

Suppose you did all the above and arrived at this unhappy place. What do you do now?

The good news is that eradicating adware is fairly simple, but if you run into trouble one recovery procedure guaranteed to work is to recover your entire system from a Time Machine or similar backup that preceded installing the misery-causing junk. This isn't usually necessary, but maintaining a backup is always recommended for this reason and others. With a backup, you'll be assured that you can always recover to a working system, no matter how messed up your Mac becomes.

If Time Machine or a backup is not an option for you, the remainder of this document describes the procedure I used to recover from the above specific scenario.

In case you overlooked the preface of this document, its one limitation is that adware is a constantly evolving threat, and what works today might not work tomorrow, next week, next month, or this afternoon. Newly discovered adware emerges almost daily, and proliferates like some Internet fungus preying on those unaccustomed to its distinctive odor. That's the problem with any automated means of detecting and intercepting malware of any description. In general though, you can search Apple Support Communities for recent eradication instructions, post a new question, or consult AppleCare for assistance. Just remember to contact Apple using the Contact Us link that appears on the bottom right of this page, never blindly following the results of a Google search, and never using a phone number displayed on some popup that appears. Phony "technical support" alone is one likely reason for adware's very existence. Don't compound one lapse of judgment with another.

Recovery Procedure

Installing the most recent OS X version will block most forms of adware automatically. Read and follow the instructions contained in this Apple Support document: Stop pop-up ads in Safari.

• If Safari appears to be blocked or "frozen" and you can't control it, please read Phony "tech support" / "ransomware" popups and web pages.
  • Web pages alleging your Mac is infected with something are extremely common, and 100% fraudulent.
  • Those fraudulent web pages should be considered criminal attempts to defraud you.
  • No additional actions are justified or should be taken based on the information that appears.
• If you can't quit Safari normally, force it to quit by reading these instructions: Force an app to close on your Mac, then launch Safari again while holding a Shift key.

  This action will prevent Safari's previously loaded web pages (including any problematic ones that may have caused the problem to begin with) from appearing upon launch.

After restarting your Mac, Safari should then be restored to normal.

Conclusion

MPlayerX is not malware. It is a legitimate program freely available from the Mac App Store. It does not modify OS X. It doesn't require a password to install. It demands no acceptance of pages upon pages of incomprehensible legalese as a condition of its use. I have no idea how it came to be associated with the specific adware discussed in this document, nor is there any reason to believe its developer has agreed to that relationship. The lesson to be learned is that any legitimate program distributed through the Internet can be effectively hijacked by nefarious individuals to be bundled with malware no reasonable person would want.

If you want something that is not available from the App Store, always obtain it from legitimate sources.