Remove Spigot Malware on Mac

Apps Like 'TuneUp' Bundled with Yahoo Adware

Beware of adware and malware on the Mac. It can’t do much damage on OS X (macOS), but it’s incredibly annoyingly and trivial to remove.

I first came across the Mac app TuneUp a few years ago. It was essentially an iTunes extension that helps you clean up your library by identifying unnamed songs and adding track names and cover art.

Like many others, my iTunes music collection largely halted a few years ago with the advent of Spotify. There are times, however, where still I use iTunes, namely to sync rarer songs (that are outside of Spotify’s remit) from my music collection to my iPhone.

Over time many of these songs had become jumbled in the mess that iTunes has become, and a recent tidy-up mission prompted me to think of TuneUp again.

On first glance TuneUp is very much active – the website remains the same, albeit a bit dated – with a stand-alone download in addition to a Mac App Store version that was (reasonably) recently updated in February 2016.

After downloading and running the usual .dmg installer, I clicked through the usual Terms and Conditions, to install the trial version. And then it hit me:

“Did that say something about Yahoo?”

But, unfortunately, it was too late. Before I knew it, my fears were confirmed. Both browsers that were open had quit and restarted by themselves, and worse, Safari immediately showed me a Yahoo homepage.

The culprit? Bundled in with TuneUp is malware (or ‘adware’ if you are being generous) called Spigot. In short, it installs various browser extensions, plugins, add-ons and trackers that encourage you to search and click through various targeted advertising. And you’d be correct in guessing – it’s far harder to remove than to install.

How To Remove/Uninstall Spigot from a Mac

Note: This is by no means a complete guide to removing Spigot or any other malware. The application and software is constantly changing and innovating to hide itself and comes in many annoying manifestations.

1. Remove all browser extensions. (Note: these won’t be called Spigot, just look for ones you don’t know and the date they were added. Check out this fairly comprehensive list for guidance. You will also need to do this for ALL browsers on your Mac, whether originally open or not).

There’s a decent guide on how to remove them (ironically) on Spigot’s own site. Once done, quit the browsers until all steps are completed.

2. Reset your homepages and default search engines. They will have been changed to Yahoo. Yawn.

3. Remove ‘Spigot’ Library files. Now the complicated bit. Firstly access your User library (Note: not the Macintosh HD Library), instructions to find it are here. There are three main folders to check:

~/Library/LaunchAgents
~/Library/Application Support
~/Library/Caches

Look or search for anything with ‘Spigot’ or ‘spigot’ in the name. BEFORE you delete them though, take a look inside the file (open in a text editor, or even better just hit spacebar with the file selected in Finder for OS X’s Preview mode).

Now the important bit: Inside the files, check for links in the code to other files or folders. These might well have different names other than Spigot. Note down anything you find, and then trash the Spigot files.

4. Find other related files. One link you may find in the first set of files is com.sourcesoftwarehub.AppTech.plist

This can be found in the folder:

~/Library/Application Support/AppCommon/AppTech

In this case, Spigot has created an alias/pseudonym called ‘AppTech’ to try and put you off the scent. There may be more of these, and the only way to find them is to view each one and check the code. Delete them once they have been checked.

5. Check the Macintosh HD Library. Using the same technique as Steps 3 and 4 above, check the following folders:

/Library/LaunchAgents
/Library/LaunchDaemons
/Library/Internet Plug-Ins

6. Reopen your browsers. Hopefully all traces of Yahoo and Spigot should be gone.

What You Can Do To Avoid Malware

In short, read the terms and conditions before you accept them. Nothing, literally nothing, can install itself on your Mac without you entering your admin password. Of course, when installing new software this is something you do without thinking, but take a few moments to really assess and read about what you are installing.

TuneUp is a great example of good software going bad. In hindsight the clues were there. One look at its MacUpdate page would’ve immediately flagged up issues. In this case it turns out the software itself has been through a rollercoaster since I last used it several years ago, finally ending with original CEO Gabe Adiv acquiring the business via a new company and relaunching with an old version of the software.

An app that once raised $8.5 million in funding was never going to get anywhere near that kind of return, so it looks like they have resorted to dirty tactics with the bundling of malware. And the real sickening bit – Spigot Inc.’s own website quotes one business parter as saying: “With Spigot’s network of Windows and OSX publishers we were able to successfully run targeted campaigns across each OS.” That partner – Gabe Adiv, CEO GMGP.

The once infallible Mac OS is starting to see small cracks appears and as a user the natural reaction is to be on guard. It’s one thing if an installer asks you (via a checkbox or similar) if you’d like a certain toolbar or browser extension, but to force install one that is deliberately hidden is just plain wrong.

The saddest thing is that the other 99% of developers that play by the rules get hurt the most. People will end up not trusting third party software, all because of a handful of greedy idiots. Much like the failing Mac App Store that’s overrun by low quality replica or fake apps, it makes you sceptical that any developer that you don’t know is out to rip you off.

Unfortunately money talks, and these things will continue to happen for the foreseeable future. For now, just think twice before rushing to click that install button.