PUP Friday: MacKeeper | Malwarebytes Labs

MacKeeper first crossed my path more than five years ago. At that time, I was very active on Apple’s forums, and saw many things on the “front lines.” Over the years, I collected a lot of information about MacKeeper, and wrote an article in 2014 about some fraudulent behaviors involving MacKeeper.

According to the MacKeeper folks (first ZeoBIT, now Kromtech), this is behavior that was caused by affiliates. Mike Clark, of ZeoBIT, told me back in 2011 that, “We pay a 50 percent affiliate commission and sometimes our affiliates go wild and have a lapse in judgement with the way Mackeeper is promoted.” At the time, Mr. Clark told me they were cracking down on their affiliates.

Fast forward to 2016, and unfortunately, the story is much the same. Last month, we spotted a particularly egregious fake virus scam that attempted to scare the user into downloading MacKeeper:

If you don’t want to watch the entire video, skip forward to 0:54, where you’ll see that the site claims that “Tapsnake” has been detected, and then proceeds to push MacKeeper as a “required” download to remove Tapsnake.

Here’s the thing, though… there is no such thing as Tapsnake on the Mac. It was Android malware that was seen back in 2010, which no longer exists and which was never seen on the Mac.

The fact that MacKeeper was being pushed by a fake virus scam is bad, but according to Kromtech, this isn’t their doing. They blame a rogue affiliate, who is aggressively and inappropriately marketing MacKeeper without their permission.

That’s a good story. However, there’s a bit of a problem with that. The MacKeeper app uses a “chat” with a “MacKeeper tech” during the scan process to sell the product’s usefulness, and here’s a screenshot of a portion of that chat:

(I use the “quotes” above because I believe that this is actually an automated system in MacKeeper, and not actually a chat. I’ve run through this test numerous times, on different days, and gotten the same canned responses… and always from “Andrew.”)

Note that the “tech” tells me that there’s “a new virus called Tapsnake that has infected many Macs worldwide.” I’ve had MacKeeper tell me this three times, on three different days and in three different installations of the software. Funny, you’d think we would have heard something about such a large-scale Tapsnake infection, but no… that didn’t happen.

However, it is interesting that MacKeeper itself is telling me that I need to worry about Tapsnake, to scare me into paying for its anti-virus features. Especially given the previously-documented association with these fake Tapsnake virus scams, which were blamed on “affiliates.”

Unfortunately, it’s not very difficult these days to find scam sites claiming that “Your Mac Might Be Infected!” and offering MacKeeper as the solution. Case in point, see the following page, which I saw numerous times in the last few days while crawling around in some of the back alleys of the web:

A similar scam that often tricks users is the fake Adobe Flash Player update scam. A website tells the user that their Flash Player is outdated, and offers a download to update it. There are many such scams out there that involve MacKeeper, such as this one:

Clicking the Download Flash button resulted in the download of an installer that claimed to be an Adobe Flash Player installer:

Of course, this installer actually included MacKeeper, as well as some other adware and PUPs:

Interestingly, the one thing that the user would have intended to get from this installer – Adobe Flash Player – was somehow not installed. Curious…

(It’s also interesting to note that, if you look at the clock in the menubar in all the screenshots above, you’ll see that they were all collected in less than an hour’s time. That’s all it took to find these examples – and more – of scams involving MacKeeper.)

You can see a video from last week that shows scams like these in action – both a virus scare tactic and a fake Flash Player scam – coming from a site offering a free “Malwarebytes Lifetime Key.”

This is not the first time MacKeeper scams have made use of the Malwarebytes name. Back in 2014, there was a site using the Malwarebytes name and logo to promote MacKeeper.

These are some of the reasons that we have decided to identify MacKeeper as a PUP, or “potentially unwanted program.” There are other reasons as well, stemming from previous abuses which can be read about in other articles, but for the purpose of this article, we felt it was important to focus entirely on what we’re seeing today.