Examining both the binary and other files in the Installer bundle revealed some heavily obfuscated code that is really quite unusual to see in anything except malware. For one thing, the bundle identifier (a reverse domain-name style string used to uniquely identify an app on macOS) was the oddly titled, and the executable binary file was named hemorrhoid. After a support call asking me whether the MacGo player itself was malicious, I decided to look into what was going on in a bit more detail.ĭownloading the Mac Media Player from the developer’s site rewarded me with a DMG file called Macgo_Mac_Media_Player.dmg, and mounting that revealed the Installer.app (pictured above).Įxamining the package contents of Installer.app had a few surprises. Last week I added MacGo’s Mac Media Player.app to DetectX’s search definitions after finding that the installer was delivering MacKeeper on unsuspecting users. ~/Library/Application Support/MacKeeper Helper ~/Library/Application Support/MacKeeper 3 Library/Security/SecurityAgentPlugins/MKAuthPlugin.bundle - warning: deleting this file could harm your Mac! Contact me for help. Library/Application Support/MacKeeper/MacKeeperTrackMyMacDaemon Library/Application Support/MacKeeper/MacKeeperATd Library/Application Support/MacKeeper/AntiVirus.app/Contents/MacOS/AntiVirus Library/Application Support/MacKeeper/AntiVirus.app If you happen to find any that are not on the list, please share in the comments! Want to remove MacKeeper? The easiest way is to use my free/shareware app DetectX Swift, but if you’re looking to do it yourself, here’s the complete list of all past and current known filepaths.īear in mind that DetectX Swift can find other MacKeeper paths that are not on the list due to its internal search heuristics however, I’ll update this list as new paths come to light.
0 Comments
Leave a Reply. |