Almost five years ago, Intego security researchers warned about the OSX/OpinionSpy spyware infecting Mac computers, downloaded during the installation of innocent-sounding applications and screensavers distributed via well-known sites such as MacUpdate and VersionTracker.
Once compromised, infected Macs could leak data and open a backdoor for further abuse.
Now, sadly, a variant of OpinionSpy seems to be making something of a comeback.
Mac security researcher Thomas Reed raised the alarm on his blog earlier this week, describing how he believed he had spotted a new variant of OpinionSpy in an installer for an app on CNET’s Download.com.
Intego researchers have confirmed that Mac users downloading an app called Free Video Cutter Joiner by DVDVideoMedia might be getting more than they bargained for—a fact that does not go unnoticed by some of CNET’s users:
Looking deeper, Intego experts discovered that all downloads from the developer’s own website (which has both “official” download links and ones labelled “Softonic download”) are pushing the most likely unwanted OpinionSpy code in its installer.
So, what would happen if you downloaded one of the versions of these apps which come complete with “bonus features?”
During installation you would find yourself prompted to install an application called PremierOpinion (detected as OSX/OpinionSpy by Intego’s Mac anti-virus products).
Unlike earlier versions of OpinionSpy, this incarnation explicitly asks users to consent to the code’s installation—but there is always the danger that a user keen to get their hands on a particular app would race through the installation process without reading the small print properly.
Which would be a mistake, as PremierOpinion/OpinionSpy claims to allow “participants in an online market research community to voice their opinions by allowing their online browsing and purchasing behavior to be monitored, collected, and once anonymized, used to create market reports, materials and other forms of analysis that made by shared with our clients…”
According to the blurb, monitoring will record Internet usage, demographic information, details of your hardware/software/computer configuration as well as application usage.
But don’t worry about your privacy, because they go on to say that they “make commercially viable efforts to automatically filter confidential personally identifiable information and to purge… databases of such information… when inadvertently collected.”
Before you know it, the PremierOpinion app has been installed to /Application/PremierOpinion, and new extensions have been added to your Chrome and Firefox browser.
From now on, your Mac computers will be constantly be in contact with PremierOpinion’s servers, using the same domain as previous variants of OpinionSpy—securestudies.com.
Don’t forget, your intention was to find a program to edit video footage—not to find yourself invisibly contributing data about what’s happening on your Mac to market researchers.
Fortunately, if OpinionSpy ends up on your Mac computer it’s not too hard to spot.
Tell-tale signs include the existence of the PremierOpinion icon in the toolbar.
Rather less professionally, when attempting to install its extension on modern versions of Safari, OpinionSpy trips over badly and makes rather a mess of things.
Whether this is because this variant of OpinionSpy has failed to keep up the latest editions of Safari, or is in fact a relic from year’s gone by that has until now gone largely unnoticed, is unclear.
But one thing is for clear. You probably don’t want a tool you thought would provide help with video editing also installing software to snoop upon your online activities, and potentially grabbing sensitive information such as your passwords, browsing history and payment card details.
This variant of OpinionSpy may be a little more upfront with potential victims about its intentions, but that doesn’t make it any more wanted on anybody’s hard drive.
Intego customers can, of course, relax. All known variants of OpinionSpy are protected against.