MPlayerX began to be associated with malware about two years ago, or possibly even longer. Back in 2014, an emerging piece of adware that soon crossed the line to malicious behavior, called VSearch, was frequently associated with MPlayerX installers. At the time, many people assumed that MPlayerX was being used in the same manner that Adobe Flash Player often is – innocent software used to trick people into running a shady installer.
MPlayerX began to be so synonymous with the VSearch adware that Google searches for “MPlayerX” began to show prominently-featured hits for “MPlayerX removal.” Worse, it eventually became apparent that MPlayerX was not simply an innocent victim.
In early 2015, MPlayerX wasn’t being distributed with VSearch anymore. Unfortunately, this didn’t turn out to be good news, as it was soon discovered that the official MPlayerX installer, downloaded directly from the MPlayerX website, had started to include the IronCore adware.
The bad behavior didn’t stop there, however. The official MPlayerX installer began to attempt to defy analysis!
Malware will frequently exhibit analysis avoidance behavior. This means that if it feels that it is being analyzed by a security researcher or automated security software, it will act innocent, showing none of its malicious behaviors. Thus, if a researcher or tool is not aware that the program is malicious, it avoids sending up any red flags that would trigger a more thorough analysis.
The most common method of analysis avoidance that malware uses is to detect whether it is running within a virtual machine – in other words, a full system running entirely within a piece of software. For example, a researcher may install Mac OS X within a virtual machine run by a program like Parallels, VMWare, or VirtualBox. Using a virtual machine is a good way to keep the malware isolated from a real system, so that the infection is easier to contain.
The MPlayerX installer, it turned out, was doing exactly that. When run in a virtual machine, it installed nothing but MPlayerX. When opened on a “real” system, however, it would install the IronCore adware, as well as (at that time) the junk apps MacKeeper and ZipCloud.
Recently, we decided to re-evaluate MPlayerX for possible detection as a PUP (potentially unwanted program). Sure enough, although the installer had been updated, it still exhibited the same analysis avoidance behavior, this time installing IronCore, MacKeeper, and MegaBackup.
The following video shows the MPlayerX installer being downloaded from the official MPlayerX site and being installed twice. The first time, it is installed in a Parallels Virtual Machine running Mac OS X 10.11 (El Capitan), and it installs nothing but MPlayerX. (Or, more accurately, installs an MPlayerX installer that you still have to run to install MPlayerX…)
The second time shows the same process, in the same virtual machine – with some modifications to the virtual machine to defeat the technique MPlayerX uses to detect it. Thus, MPlayerX can’t detect that it’s running in a virtual machine, and thinks it’s on a real system, in the second case, at which time it dumps its nasty payload of crap.
The bundling of MPlayerX into an adware installer, alongside adware and other PUPs, is reason enough to consider it to be a PUP according to our PUP criteria. The addition of malware-like analysis avoidance behavior makes the decision to call MPlayerX a PUP a no-brainer.
Further, because we feel that this malware-like behavior shows that the developer of MPlayerX is not trustworthy, we detect the Mac App Store version of MPlayerX to be a PUP as well. Malwarebytes Anti-Malware for Mac detects any version of MPlayerX as PUP.MPlayerX.
Update (2019-09-18): Although we still don’t recommend trusting software from anyone who would use an installer like the one described above, we no longer detect MPlayerX itself. We do, however, still block the launch of the MPlayerX installer via our App Block feature… because it still behaves as described, and you really don’t want to be running that. If you feel that you must use MPlayerX, instead of other alternatives (like VLC), get it from the App Store instead.
But if one just uses the app’s update mechanism it should be safe right? I’ve never used the installer since I’ve used the app from before they used an installer and always updated in-app.
That depends on whether you’re willing to trust an app from a developer who feels it’s okay to add adware to its installer, and to use malware-like analysis avoidance techniques to hide that fact.
I’ve used the MPlayerX installer but I’ve carefully unchecked all the options to install those adware-like software recommended within the installation.
So my question is… am I still vulnerable?
I’m pretty sure I’ve just installed MPlayerX and, in fact, running a scan with MalwareBytes AntiMalware it detects just that as a PUP but nothing more than that.
The thing is that MPlayerX is, at least for me, the BEST video player for the Mac, it works wonderfully and it also has a great design that seamlessly integrates with macOS.
Another question is if you know/recommend another, more specific, software to scan Mac apps downloaded from the web. I’m not necessarily talking about cracked apps. Thanks 🙂
I installed MPlayerX after using MPlayer for a number of years on Mythbuntu. What alerted me to something going on was the inordinate amount of time it took to install. Immediately I ran malwarebytes Anti-Malware and found the MPlayer installer had populated my system with PUP crap.
TO REMOVE:
Run malwarebytes Anti-Malware and agree to remove all it finds.
Restart your computer.
Run malwarebytes Anti-Malware again. It will probably find another PUP file.
Remove it.
Restart again.
Run malwarebytes Anti-Malware once more to ensure all is gone.
Trash the MPlayerX installer (dmg) for good measure.
Interestingly, after cleaning my system with malwarebytes Anti-Malware
there is no trace of MplayerX. So this program is nothing but Malware
that plays video files as a front.