Showing a file’s true nature

01. December 2013 Security 2

Things are not always what they appear to be, files on a Mac being no exception. We can identify a file just by glancing at it most of the time, we know what it is and most likely what application will open that file. A few examples:

A few of the file type icons you will most likely recognize.
A few of the file type icons you will most likely recognize.

Yup, no one needs to tell you what’s what, you know just by looking at it. The same goes for most file extensions. You know .jpg is an image, .mov is a video and .zip is an archive. While both the icon and the file extension are great ways to identify a file, this quick and easy way to identify files can be abused to trick you into opening a file that is not what it claims to be. In the case of malware we have seen this in the past with janicab, it masqueraded as a PDF while it was actually an application. More recently this trick has been used by an application posing as an installer.
The user downloads a file that they believe will enable them to watch a sporting event live for free through an application called FirstRow Sports (more details on this here) (and was used again in a fake Gimp installer, more here). The file they download is not an installer, it’s an application that mimics an installer. The icon looks like the one you’d expect from an installer and it behaves like one but looking closer at the file information you can see it’s an application. Without this closer look, most people will open the file, click the ‘continue button’ a few times and wait for the Sports app to show up. What they get instead is a dose of Genieo adware and another browser plug-in they did not ask for.

The fake installer
The fake installer

A Get Info command shows the true nature of the file:

The file kind - Application
File kind – Application

Performing the Get Info command on an actual installer looks like this:

File kind - Installer Package
File kind – Installer Package

this is one way to be sure a file is what it claims to be but getting the information of every file you come across will take up enormous amounts of time and is just not practical. Instead, enabling the finder to show all file extensions by default would have gotten this fake installer busted right away.

Notice the .app
Notice the .app

This can be done by clicking on the Finder menu, then going to Preferences. Under the Advanced tab, select “Show all filename extensions”. It will look a little messy at first but you’ll get used to it very fast. Soon you’ll barely notice it’s there at all and just glancing at all your files will get you the icon ánd the extension and your brain will quickly OK it or flag it.

This is not fool proof and you’ll need to know some of the basics like what generic icon goes with what file type. Also having OS X’s GateKeeper settings set to at least “Mac App Store and identified developers” (System Preferences > Security & privacy > General) will prompt you when an unsigned application is about to be opened. In the case of the above mentioned FirstRow Sports application this will not help you as it is actually signed by “Cool Mirage Ltd.” so GateKeeper does not flag it. Another good defense would be an antivirus that can flag this type of file for you so if the icon/extension combo is not picked up by yourself and GateKeeper does not flag it, the antivirus will.

In the end there is no substitute for common sense and taking it slow. Don’t install stuff from an unknown source and read before clicking the “Continue”, “Accept” or “Install” button.

2 thoughts on “Showing a file’s true nature”

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.