In some cases, the page will get a bit more pushy, and will show something like this:
This page suggests that the “error” may have been caused by malware, and offers software to “run a free scan” of the system. Clicking that button takes you to a scam page on the macfileopenercom website: The Search App Store button has been replaced with a Search Web button. In this case, the option to choose an application is not usable, presumably because that would take away from the scam. The differences may be minor, but to someone familiar with Apple’s Human Interface Guidelines, all the errors in this window hurt the eyes.) (Although it’s a rather amateurish effort, if you look closely.
This is because when you open the file, it’s actually opening the Mac File Opener app, which displays a dialog made to imitate the real thing. However, with Mac File Opener present, double-clicking the SketchUp file will instead present the following message: This allows you to choose an application to open it if you like, or to do a search of the Mac App Store to find apps that can open it. Normally, when you double-click such a file, Apple is very helpful, and shows you something like this: Suppose, for example, a friend sent you a file that was created by the 3-D modeling software SketchUp, but you don’t actually have a copy of SketchUp on your computer.
It turns out that this is exactly what that app wants, and it takes full advantage of that fact. Worse, if there is no other app to open a specific file, this app would be the default. It turns out that Mac File Opener defines a list of 232 different file types, covering all the common ones and many that aren’t so common: CFBundleDocumentTypesĮssentially, what this app had done is set itself up as an app that can open most files that are at all likely to be on the typical user’s system.
One of the things that file does is allow the developer to identify what file types the app is capable of opening, using an array of data given the key “CFBundleDocumentTypes” that defines all the file types. Inside all Mac apps, there is a file called ist, which defines a number of characteristics of the app. This piqued my curiosity, so I poked a little deeper, and found something very interesting.
It simply seemed to be sitting there, doing nothing. There wasn’t a new launch agent or daemon designed to load it. Even more intriguing, this app didn’t have any apparent mechanism for being launched. Once I had installed it and was poking around to see whether it had installed anything new – perhaps a shiny new piece of adware, for example – I discovered an odd app, named Mac File Opener, tucked away where the average user would never see it. It looked like an ordinary Advanced Mac Cleaner installer… which is not to say it looked like anything I’d want on my computer, but still, I was determined to do the wrong thing, so I clicked right through and installed it. This resulted in an installer file named “amc_rb_mfm1.pkg” being downloaded, which I proceeded to open.
But, of course, I was determined not to be, so I clicked the green button to install the “security update.” If I were being cautious, I would have closed this page immediately, rather than doing anything it said. It began here, on a scam page hosted on the official Advanced Mac Cleaner website: And it is that strange and malicious app that will be our focus today. Because within this rabbit-hole lay one special nugget of… well, not gold.
Although I could go on at length about these products behaviors and why we detect them as PUPs, that is beside the point. PCVARK is responsible for gems like Advanced Mac Cleaner, Mac Adware Cleaner, et al. I began to look into it, and very quickly found myself in a deep rabbit-hole of Mac crapware, all from a major developer of Mac PUPs (potentially unwanted programs), PCVARK. Recently, Jérôme Segura forwarded me a link to a fake virus scam page that seemed to be Mac-related.