Why You Shouldn't Download Mac Apps From MacUpdate Any More

MacUpdate has joined the dark side, bundling adware into free downloads like Firefox. If you want to avoid this completely, stop downloading apps from MacUpdate – download directly from the official homepages of the software you want.

If that’s not realistic for some reason, here’s what to look out for.

“But I Thought MacUpdate Was Safe!”

Long seen as a safe website for Mac users to download apps not found in the Mac App Store, MacUpdate has recently joined a seemingly endless number of previously trusted sites that decided to cash in on that goodwill.

It’s particularly jarring in this case, because most Mac software doesn’t require an installer: just drag the app to the Applications folder and you’re done. That doesn’t allow for a monetization moment, however, so MacUpdate created an entirely unnecessary installer – complete with impulse-driving “Next” buttons – just to trick you into changing your default search engine and install some browser extensions.

MacUpdate says their desktop app, which keeps your apps up-to-date, doesn’t use these bundles. And not every piece of software on the site uses the unnecessary installer – we could only find it by downloading Firefox. But in case you’re worried, here’s what the installer looks like – and how to avoid it.

When Free Downloads Aren’t Free

After hearing about MacUpdate’s scheme from Thomas Reed of Malwarebytes, I thought I’d investigate myself. I downloaded Firefox both from the Firefox homepage and MacUpdate, and ended up with two different DMG files.

Open the official Firefox installer, titled “Firefox 42.0″ in the screenshot above, and you’ll see this:

Installing is simple: just drag the Firefox icon to the Applications folder and you’re done. So what’s the MacUpdate installer look like? Here’s what you see when you open their “Firefox Installer.dmg”:

The Firefox branding is gone, and there’s no icon to change: just an application to launch. Open it, and you’ll be asked for your root password before a Windows-style installer runs.

As far as I can tell, there is no reason for this installer other than getting you to click “Next” without reading so you can end up with unwanted changes to your system. MacUpdate says the installer makes things “easier”, while also allowing them to “offer another app offer that users may be interested in”.

Tell me: does this look like they’re “offering another app” to you?

The onus is on the user to work out how not to end up with the “app” that’s being “offered” – in this case switching my default search engine to Yahoo.

If you click next without reading this text, or clicking “Advanced” – something MacUpdate knows users will do without meaning to – you’re going to find out that every browser installed on your computer (Chrome, Firefox and Safari) not only default to Yahoo Search, but also uses Yahoo as the homepage and new tab page.

To repeat: this was true not only for the Firefox instance I installed using MacUpdate, but for every browser installed on my computer. Google’s Chrome was set to use Yahoo for search, and my new tab page was replaced. The same was true for Safari.

I didn’t even know it was possible to change the new tab page in Safari, so I guess at least I learned something.

I also ended up with a Safari extension called “SearchTrust”, and I’ve no idea what it does. Revert my search settings if I try to change them, maybe? I uninstalled it rather than find out.

Tell me: do you think this is something MacUpdate users want? Do you think MacUpdate did an intensive study of their userbase, and discovered they’re all unhappy with their default search engine? That they would be better off with Yahoo? Do you think users want every browser on their system messed with?

Curious if Apple will revoke MacUpdate's Developer ID over the malware they distribute with it. If not, the whole system makes no sense.

— Peter Steinberger (@steipete) November 8, 2015

Does that seem likely to you? Or do you think MacUpdate knows enough users will click “Next” without noticing, and end up using a search engine they get kickbacks from?

It Happened Before, It Will Happen Again

PC users know all about this sort of bundled crapware. From OpenCandy’s unwanted bundles to the crap bundled by the likes of Download.com, they’ve basically come to expect these tactics.

For as long as there has been free software on the Internet, there have been sites that offer one-stop shops for downloading it. Some of these can be trusted to offer the downloads without any nonsense, a tendency that helps them build a reputation and a userbase.

It’s disturbingly common for such sites to eventually see the trust and userbase they’ve built up as a commodity, something that can be exploited for revenue. It usually starts small: maybe letting in some ads that looks like download buttons slip in, just to help pay for bandwidth. It’s frustrating for confused users, sure, but most adjust and it’s hard to argue with the money. But many such sites find that this isn’t enough either, so they start bundling crapware with free downloads. That’s what SourceForge started doing earlier this year, and the pushback for them has been brutal.

This can pay off massively, of course: Divx famously made $15.7 million in nine months by bundling the Yahoo Toolbar. You can argue that this isn’t hurting anyone, and provides the sites a way to make a little bit of extra money; but the entire scheme is built on exploiting the users who don’t know better. This makes their computing experience just a little bit harder, and a little less effective – all in the name of adding another revenue stream.

By the way @macupdate, your trash "installer" registered as malware with Avast. Says it's "MacOS:Macinst-D [Adw]". Great job.

— Ryan McKern (@the_mckern) November 10, 2015

I’m not sure how such sites should monetize themselves – it’s a big problem. But this sort of scheme usually proves to be self destructive. In this case, longtime MacUpdate users – some of whom were paying for the service previously – aren’t happy.

Response from @MacUpdate about injecting malware into downloads. They lost me over this. It’s unethical. pic.twitter.com/6sxDYsxV4B

— Hal Gumbert (@HalGumbert) November 5, 2015

MacUpdate: It’s Not Too Late

I’d hate for MacUpdate, a site I find useful quite frequently, to go further down this path. Trust is impossible to get back once you’ve lost it, and it’s possible that trust is already damaged beyond repair in this case. But that doesn’t mean MacUpdate should just go all-in: they should notice the pushback, admit that they’re wrong unambiguously, and step back from the brink.

Till then you should probably get all your free downloads from their official sources (or the Mac App Store) — which may take a little longer, and require some more searching, but is much less likely to result in adware infecting your system.

Now we want to know what you think. Will you be using MacUpdate in the future?