What is the "Google LLC" login item and what is it doing? It just added itself to my login items.

adrianfulop wrote:

Yeah, your sarcasm can be felt even without the <sarcasm> tag here.

Do tell me though, how can a LaunchDaemon add a NEW entry to the login list, expect for the one it was already adding?

The Login list or the background items list--they are different, though located in the same place.

Either way, the app likely updated itself as it was allowed to do by installing it with elevated privileges. That update (to the updater in this case) triggered a change in the Login Items or the Background items (possibly both). Based on this and other posts, it appears they changed their signing certificate as that is what is displayed in the Background items list (not the name of a program which seems to be confusing a lot of people).

The key point here is we have a NEW entry, which was not there before.

If it was updated, it is a NEW item. If the signing certificate changed, it is definitely a "new" item to macOS.

Nobody can answer the question of "What is a Goolag LLC Login Item?" because that name is not an item. It is the name registered with the signing certificate. To answer the related question, "What is the app associated with the Goolag LLC login item," we would have to install that software on our Macs. Or, we can suggest ways you can determine for yourself such as looking at what is in LaunchAgents and LaunchDaemons or using a tool like EtreCheck which will show you what you have installed and what app is related to it.

To the second question I refer to the answer to the first. If we don't install it, we can't tell you what it does.

The third question goes directly to your question about giving your password to Goolag. By using your admin password to elevate the privileges of the installer, you grant that app permission to do just about whatever it wants. It appears it has decided to update itself and in the process of the update, altered the signing certificate for the app which generated a "new" item.

adrianfulop wrote:

''Because at some point in the past, you gave Google full control over your computer and all of your data."

Well, I DIDN'T and I'm pretty sure many others didn't either. When asking for full disk access, I always deny it, especially to any Google software :) Automatic update checking is always OFF, so there is no reason whatsoever for that login item to be there, especially to install itself there without my specific consent.

That answer is a bit of a boilerplate that I haven't used for a long time.

In current practice, Apple has improved some of the security in operating system to prevent some of the most egregious violations in some case. But as you might notice, I used some qualifier words like "current", "some", and "egregious". That's because it's complicated. It depends on different things and has different meanings in different contexts.

You specifically mentioned "full disk access". I'm not sure what you mean by "denying" that. Apple has designed then system so that apps can't even ask for full disk access. You have to know about it and make the initiate to provide it. But the ultimate bottom line is that, if there is a login item there, you are the one who ultimately put it there, even if you don't remember it or realize it.

"How did this happen? Google asked for an administrator password and you provided it."

Correct me if I'm wrong, but when installing a software on your Mac, aren't you actually providing your administrator password to the OS, so it knows that you have administrator privileges?

Yes. You do have to trust Apple. No way around that. Apple bends over backwards to be trustworthy with your password and the rest of your personal information.

How and why would that password be passed on to Google?

Your password is never provided to Google or anyone else. If you have any Google software installed, you are the one who did that. Or maybe you let someone else use your computer, I don't know. I know Apple didn't do it.

"All this then leads us back to the question that everyone wants answered. What should you do about this file? Leave it alone, obviously. You don't have anything to hide, do you?"

Now this is THE biggest problem with modern mindset. You know what? I and many others DO have something to hide. It's called PRIVACY, and we especially like to hide it from people people/software who try to invade it!

Sorry, but I'm that guy who always neglects to include the <sarcasm> tag. 😄 This is the internet, where reason and logic go to die. A typical exchange is someone fighting mad over some perceived security failure by Apple, obsessively concerned about their privacy and security, focusing 100% on Apple, while also running every hack, pirate app, and personal information harvesting app known to man.

Oh... and my answer to "what should you do with this file" is DELETE IT, as well as every single piece of privacy invader crap Google software you find on your machine.

There is no "Google LLC" file! You'll never find it, so don't bother looking. Showing you that "Google LLC" string is just a really bad idea on Apple's part. If you go scrounge around in /Applications, /Library/LaunchDaemons, /Library/LaunchAgents, and <your home directory>/Library/LaunchAgents you can find and delete every "google" file you find. That is sufficient to stop Google from running.

Please don't look anywhere else. Those 3 locations are all you need. Scrounging around in other places is only going to cause problems. Yes. There will be lots of Google apps and files left on your computer. But they won't be running and they won't hurt anything. Leave well enough alone.

Note that any "Library" folder is hidden and won't show up in a search. You have to do this manually.

Please never, ever use any "app zapper" or "clean up" app. Google is actually one of the better apps here. It doesn't include any nasty low-level system modifications. You can just delete those files and Google won't be running any more. Easy, peasy. But if you try this with other apps, you can wreck your system really good.

harenet wrote:

I have Chrome installed but barely use it for privacy reasons, however I do want keep it on the machine

Yes that is relevant. If you have Chrome installed, that means you installed Google on your Mac. It is not possible to use one without the other. Whether you actively use their Chrome product or not is irrelevant. Google will remain installed and will remain active until you uninstall it. It also updates itself in the background regularly, which makes it difficult to correlate the onset of poor performance to an overt action a user may have taken. A Mac that is performing perfectly well one day may perform poorly the next. Or, it might just damage its file system and render the Mac unbootable.

The specific answers to your questions can only be determined by asking the developer of those products, but general answers are as follows, in no particular order.

Why is it able to install itself in my log in items without any authentication or opt-in action on my part?

That is not correct. Although you may have done so years ago, you authorized Google to implement those system modifications by installing Google on your Mac. That consent gives it essentially unfettered ability to load, modify, update, and otherwise control how those system modifications operate and what they do. There is nothing new about that.

What is new — and what seems to be confounding unsuspecting users who did not perform their due diligence when installing those products — is macOS is now informing (or reminding) its users of that fact.

Nothing gets installed on a Mac without your consent. Nothing — although nefarious product developers successfully deceive people into doing that with disturbing regularity. Want something "free"? Click here! People do that all the time. Then they come here for help when they realize what they did was a terrible mistake. That's ok, it's what we're here for.

What is Google LLC login item?

Google apps such as Chrome are considered a "modern login item" as opposed to the traditional Login Items that preceded macOS 13. An introduction describing how developers such as Google can implement them is here: Manage login items and background tasks on Mac - Apple Developer.

It's also one reason I do not permit Google (or anything like it) to be installed on any of the Macs I own and / or control. It essentially relinquishes control of your Mac to Google, grants it nearly unlimited ability to harvest, upload, and subsequently sell your personal information and Internet activity — tracking your every move, every web page, every mouse click, every keystroke, building a picture of "you" and retaining it forever, thereby rendering nearly all the privacy advantages of using a Mac moot.

Those processes also burden a Mac for Google's sole benefit. Older and more resource-limited Macs are affected to a greater extent than newer, faster ones. If that means you have to buy a new Mac every few years to keep up with Google's constantly increasing demands, I suppose Apple won't mind. But Apple is sensitive to public perception (justified or not) that something may be happening with their products that may appear to be concealed.

I surmise this is the underlying motivation to provide this new notification that something was installed on that Mac that has the ability to affect its operation, or to circumvent the privacy Apple proclaims as a core aspect of their products and forms a cornerstone of their business model.

What is it doing?

"It" — meaning Google? It's making a lot of money, for Google, from selling you, as a product. Hopefully you already know that. It's common knowledge, it's been litigated, it's the world's worst kept secret, but if you want to learn more about that sorry state of affairs it's best to learn it from sources other than Google. They are very good at what they do.

So good in fact, that people argue in favor of it:

harenet wrote:

but…

* I'm not removing Chrome from my system

There you go 😄

etresoft wrote:

Alas, the Apple discussion forum rules prevent me (as the author) from giving you a direct link to my app. You can use Google to find it, or someone else can tell you, but I can't.

Fortunately the Apple forum discussion rules do not prevent me from doing that, since I have no affiliation and derive absolutely no benefit from recommending it — and I unequivocally recommend it:

https://etrecheck.com/en/index.html

... or these helpful instructions for using it, should you or anyone wish to do that:

How to use the Add Text Feature When Posting Large Amounts of Text, i.e. an Etrecheck Report - Apple Community

It will clearly identify the presence of the Google product or service, which in turn causes that Apple notification of its presence to appear, which appears to be the underlying reason for such an inexplicable degree of anger and gnashing of teeth.

adrianfulop wrote:

Well, you did write "you gave Google full access over your computer and all of your data". This implies full access to the disk :) Even if it's not full access, then at least access to the user data, which I didn't grant it (or at least I thought I didn't by unticking some boxes :) )

Sorry. That was just muscle memory. I shouldn't have written it. If you would prefer a non-human AI chatbot, I can hook you up if you want.

But it is complicated. Mac App Store apps. Other apps. Software that runs in the background. Software that runs in the background and needs your admin password to install. They are all different.

And it is complicated on a whole different level. Virtually no legitimate apps care about your personal documents. It's only malware that might look for credit card numbers or keychain passwords. The scamware just wants your contacts list to scam them. Google is on a whole different level. Google's background software is really just for software updates. Google doesn't care about the files on your computer. Google cares about your internet activity. If you have Google software running in the background, you are probably running Google apps. Therefore, you are freely giving them your internet activity. That's what they sell to advertisers. You are Google's product. That's why it's free.

But Google's default security settings are much less restrictive. It's designed to collect your data and serve you ads, so it is designed for the advertisers, not you. Those people are very keen to exploit Google bugs and scam you. So if you do choose to run Google apps, you really should allow Google to automatically keep them updated.

Also, I really want to understand what you mean by "I gave my administrator password to Google by installing their software". Are you implying that when you install an app on macOS and the system asks for your administrator password, that password is actually being given to the software developer?

I don't know how many times I can say it, but it's complicated. When you provide your password to Apple software to install something, Apple doesn't give anyone your password. But apps (well, most apps) are free to ask for your password if they want. People regularly hand them over. People regularly provide any access that is requested. That's how scams work. If it doesn't work for you, that's great. Keep up the good work. You're in the 1%.

As for deleting the file, of course I meant deleting the plist files which add the Google LLC entry to your login items.

Yes. That is all that is really necessary. That will prevent the apps from launching automatically. Attempting to erase all traces of a particular 3rd party app can range from waste of time to catastrophic.

As for "clean up" apps, I actually use App Cleaner and I'm very happy with it. I can delete (almost) all associated files in one click (which the uninstaller usually doesn't), instead of manually finding and deleting them. (I also use your app actually, which I find useful for finding out problems on my MBP.)

If you use that on the wrong app, it will Mess. You. Up.

As for Google being one of the better apps, let me just tell you this story... this morning I noticed my Android TV, which was on standby, which is not connected to the internet, which has all useless apps removed, all useless settings turned off and which I only ever use to watch content from the box connected through HDMI , was being discovered by my MBP's Bluetooth :) As soon as I turned the TV on, the entry miraculously disappeared :)

Thanks for making my point for me. People complain that Apple doesn't let them delete Apple's built-in apps. They complain that Apple doesn't give them the control they want. So they buy Android. Well, there you go.

harenet wrote:

the first 3 questions remain unanswered.

And until something changes, they are going to stay that way.

What is Google LLC login item?

We don't know. You are asking this question in probably the one forum in the world where people are least likely to use Google software.

Furthermore, you are asking based off what tiny scraps of information Apple has given you in System Preferences. That interface is total, unmitigated junk. It is completely insufficient for anyone to tell you anything about "Google LLC" other than, at one point, maybe in the past, maybe right now, someone with legal authority at "Google LLC" opened an Apple Developer account in that name and signed an app with it. That's it. That is absolutely all of the information that anyone can ever tell you about "Google LLC".

If you want to know more, you are the one that will need to find the information on your computer. None of us have your computer. Therefore, none of us can make any statements about what software you might have installed.

What is it doing?

Again, we have absolutely no clue. All we have is "Google LLC". That says nothing about what the software does.

Furthermore, even if we did know the exact name of the app and where it is installed, we would still know absolutely nothing about what the software is doing. You would have to ask Google about that and hope they tell you. (Hint: they won't).

How is it functionally different form Google Updater?

Broken record time. Why do you expect any of us to know what some unnamed, unknown, mystery Google app is doing on your computer?

Furthermore, even if we did know that that app is, how would we know whether or not it is functionally different from Google Updater? How do we know what Google Updater actually does? Do we assume from the name that it is simply a software updater. Do we really trust "Google LLC" that much? Maybe it has some additional functionality, like, say, collection personal information?

harenet wrote:

To clarify, I was responding to John Galt, not to your response, so apologies if there was a misunderstanding there.

Yes. I saw that. But that doesn't matter to most people. They usually just randomly click a "Reply" button. Most often, they reply to themselves.

That said, I don't expect anyone to know these answers. I'm just hoping someone with more skill or knowledge than I have will be able to help me and others with the same questions find the answers.

But it's actually quite a difficult question. The basic, most fundamental, answer is that you are simply supposed to trust Google. Apple's signature-based notification system only provides the legal name of the entity that signed the software.

Sometimes people think that Apple has this massive security team that is doing in-depth security checks on all the apps in the world. There is no such team. There is a team that checks the paperwork to ensure that "Google LLC" actually exists in some jurisdiction and isn't a known malware author. That's it. You are expected to do your own research if you have further questions.

If you are downloading apps from the Mac App Store, then there is another level of automated checks to ensure very basic compliance with Apple App Review guidelines. There is also a very basic human runtime check to ensure apps actually work, aren't fake apps for the illegal drug, gambling, prostitution, etc. industries. But when I say "basic check", remember that it's really, really basic. Large companies like Google are typically exempt for all practical purposes anyway.

Funny enough, the inverse isn't true. Google actually does have a large security team doing in-depth security checks on Apple apps. Their job is to hack Apple devices and software and publish the results - all in the name of improved security, of course. Make of that what you will.

In addition to the LLC file, it also created three .plist files for me today in ~/Library/LaunchAgents/, two of which are zero bytes long. One is clearly associated with running the Chrome updater. The other two that are empty (keystone) appear to be connected to a component of Chrome called Keystone, but I can't tell if these are unintended. Either Google or Apple should explain what the Google LLC background app does as despite appearing to be from Google, we have no way of determining if it will cause any issues.

adrianfulop wrote:

Well, you did write "you gave Google full access over your computer and all of your data". This implies full access to the disk :) Even if it's not full access, then at least access to the user data, which I didn't grant it (or at least I thought I didn't by unticking some boxes :) )

Also, I really want to understand what you mean by "I gave my administrator password to Google by installing their software". Are you implying that when you install an app on macOS and the system asks for your administrator password, that password is actually being given to the software developer?

It means you allowed the installer to do whatever it wanted with elevated privileges. It had free rein to install anything just about anywhere.

adrianfulop wrote:

Do tell me though, how can a LaunchDaemon add a NEW entry to the login list, expect for the one it was already adding?

The key point here is we have a NEW entry, which was not there before.

A LaunchDaemon runs with root privileges, unlike a LaunchAgent that runs as the user. As root, it can do virtually anything it wants, including installing additional software. That's one of the reasons why you should be cautious about giving out your admin password to install software like LaunchDaemons.

One of the changes in recent versions of macOS is that Apple has made the end user even more powerful that root in some situations. Those LaunchDaemons do not have access to certain restricted folders, such as your Documents folder. They also don't have any ability to change Apple software or Apple files. But the rest of your computer is their playground to do as they wish.

As I said above, this really isn't a big problem. If apps want access to people's personal data and have malicious plans for that data, all they have to is ask. Most people will hand over their data. When someone is running those multi-million dollar scams, it isn't worth the effort the effort to hack the few people who refuse. Just get the next sucker in the queue. That queue never runs dry.

I have never followed a thread with so much misdirection. A response such as "You agreed to the terms when you installed xyz," and "Just remove Google" is flippant. First, because it misses the point; it doesn't answer harenet's question. Second, because there is no such application as "Google" to be removed.

What prompted the question in this forum (and across the web this month) was the sudden appearance of the "Google LLC" alert. Sudden appearance, as in "new behavior". New behaviors like this tend to get our attention.

"Google LLC" appears in

System Settings… > General > Login Items > Allow in the Background

However, in the same list, dozens of other background items by other publishers trigger no such alert. Only Google throws, "Software from Google LLC added items that can run in the background".

Why does Google Drive do this whereas Dropbox and Microsoft OneDrive do not?

Why did it start appearing only in recent weeks?

What has changed?

You do not install "Google" on your Mac. At best, you install software from Google, which is a subsidiary of Alphabet. Google LLC is a login item that is confusingly named, which is why people are here.

Specifically, on my system, there are two Login items: "Google Updater" and "Google LLC". It's unclear why there would be two login items that do the same thing. Furthermore, it's not unusual for spyware to make this kind of category error, trying to make it look like something from a well known company, without saying exactly what it's doing. (Although, I wouldn't put this kind of user unfriendly naming scheme past Google.) So, it's a kind of red flag.

IOW, what most people are looking for here is, whether this is a legit login item from Google, why it showed up now, if it can be removed, etc.

Sure, at some point, we gave permission to install it. But it could be due to some kind of social engineering exploit, some kind of exploit, etc. resulting in this login item. Again, "uninstall Google" isn't exactly helpful.

Trying once again to put this thread to rest.

I will assume the mysterious Google files being referenced are the same as the Google files referenced in this three threads I posted above. If this assumption is true, and it probably is, I can provide some better answers.

harenet wrote:

What is Google LLC login item?

There is no Google LLC login item. This is a side effect of Apple's awful new System Settings user interface. If these items aren't constructed "just so", then Apple will just dump the name listed in the software's digital signature, instead of the name of the app and a pretty icon. In the example above, Apple was happy with "Google Updater" for some reason. But it was not as happy with "mystery item".

But it looks like "Google LLC" is actually:

[Loaded] com.google.keystone.daemon.plist (Google LLC - installed 2022-10-27)

Executable: /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/GoogleSoftwareUpdateDaemon

whereas "Google Updater" is:

[Loaded] com.google.keystone.agent.plist (Google LLC - installed 2022-10-27)

Command: /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent -runMode ifneeded

[Loaded] com.google.keystone.xpcservice.plist (Google LLC - installed 2022-10-27)

Command: /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent -runMode xpchost

Those with a keen eye might notice that these are actually the same file. Really sharp-eyed people might notice that I've only listed 3 files whereas the OP's screenshot seems to indicate 4 files. There's a good explanation for that. I'm just randomly pulling data from someone else's question. People are demanding answers! And the fact that it is physically impossible for us to provide accurate answers isn't good enough. Therefore, here are some wrong answers. Happy?

What is it doing?

Not a clue in the world. Probably something related to Google software update. If not that, then something else.

How is it functionally different form Google Updater?

Apparently, it's the same freaking file. Is that functionally different?

Why is it able to install itself in my log in items without any authentication or opt-in action on my part?

Because at some point in the past, you gave Google full control over your computer and all of your data. Depending on how your computer and the rest of your devices and services are configured, Google could have effective control over all of your devices and all of your data on any cloud service in any cloud service.

How did this happen? Google asked for an administrator password and you provided it. Did you know that this is true of any software developer when you provide your administrator password? Is that scary? It should be.

Can you trust Google with all of that power and that data? It depends. Obviously you do, so that's a moot point. But in truth, Google really doesn't care about your data. They are happy to sell your personal information regardless of what is in it. The details don't matter. What matters is control over and ownership of the data. It all belongs to Google now. All of the labour you've provided to collect this information about yourself is now being sold by Google to anyone who wants it. Is your data safe? Safe from what? Google's not going to post your information on the internet. The people they sell it too probably aren't going to do that either. Hopefully your data doesn't document any activity that was, is, or will be illegal one day, because Google give all of it to the government without fee. At this point in end-stage capitalism, you should consider Google to be just another branch of the US government surveillance apparatus. Technically it's illegal for the US government to spy on its own citizens, so they contract that collection out to Google instead. You freely give all of your information to Google, so it's all good.

All this then leads us back to the question that everyone wants answered. What should you do about this file? Leave it alone, obviously. You don't have anything to hide, do you?