If you use any form of ad blocker, or even a tracker blocker such as Better 1.0, you will undoubtedly have discovered that many commercial sites refuse all connections unless you turn your blocker off. However, I had not come across sites which behaved maliciously in response to a block, until now.
I was researching an article on some of William Merritt Chase’s paintings yesterday, and in one Google search I was offered a link which looked very promising, to the page www[dot]painting-history[dot]com/columbus[dot]htm. I have deliberately stunted this so that you cannot inadvertently click to be transported to it.
I do not use an ad blocker – I am happy to tolerate ads which will return commercial sites the money that they need – but strongly object to trackers, so have Better installed as a Safari plugin, which stops sites from tracking my behaviour.
The intended page appeared, quickly greyed over with a forged claim (complete with a stolen Apple icon) that I was running an outdated version of Adobe Flash Player, and the offer to update it for me. At the top right, I was invited to skip the advertisement, which I duly clicked on. Instead of taking me back to the page that I wanted, that action downloaded a disk image file which, when mounted, contains a single item bearing Adobe’s (forged) Flash icon, named Installer.app.
Although Installer.app appears certain to be unwanted, crapware if not actually malware, checking it with WhatsYourSign (Objective-See) shows it to be validly signed with an Apple Developer ID of Gulchera Kuntcevich. This gives it a disconcerting air of authenticity, despite its tinge of Anglo-Saxon schoolboy humour.
I have not, of course, been daft enough to run this unwanted installer, but poking around inside it, it turns out to be a Fuzeware installer app which was put together using components dated 25 August 2016 – very recent indeed. It also contains a property list which refers to a Safari extension Poptotop.safariextz, which is almost certainly crapware at best (there is an old browser plugin of the same name, to which it may be related). As far as I can make out, this installer also downloads further components from a remote site.
A search in the VirusTotal database suggests that what I received may well be a new delivery of the old favourite adware/crapware Genieo.
Visiting the original page on other occasions has reproduced this malicious behaviour, sometimes even forcing an alert offering to transport me to another site which looks even more unwanted.
I have taken the opportunity to look at the source code for this and other pages on the original website, and was interested to discover that it uses Adcash to generate its income. There were no signs of other internal or external links which might be creating these misleading popovers and alerts which supplied me with unwanted crapware.
Adcash would appear to be in the forefront of developing an advertising product, named Adcash Anti-Adblock Solution, which it claims “is able to bypass adblockers 98% of the time”.
So I am left with three possibilities:
- Adware delivered me unwanted crapware.
- Adware misread my tracker blocker, and using its Anti-Adblock Solution, deliberately delivered me unwanted crapware.
- Some other unseen mechanism delivered me unwanted crapware.
Unwanted and potentially malicious software doesn’t only come from suspicious sites: even apparently innocent sites, in their quest for cash, are now prone to it. It also looks quite possible that advertisers are responding to ad and tracker blockers by foisting unwanted and forged software on them.
Finally, just because an app is validly signed does not mean to say that it is safe to run. The best way for crapware and malware to get past Gatekeeper is to present it with a valid signature, which may also convince the unsuspecting user.
Don’t you think that Apple should revoke Gulchera Kuntcevich’s signature in Gatekeeper?