Google Earth's Mac updater isn't malware, but deserved your suspicions
Recently, Google accidentally pushed out an update to its plug-in that relentlessly asked Mac OS X users to enter their password.
Let me shake your hand if you’re one of the people who, when seeing a pop-up dialog appear on your Mac a while back that asked you to enter your account password for Google Earth Update Helper, said, “Whoa! This is obviously malware!” It wasn’t, but you deserve kudos for being suspicious.
Er, and I entered my password. I’ll take 10 demerits for that. (“1 star! Will not trust security writer again! F!”)
But it was great to see many people talking on Twitter and in forums about how they didn’t fall for it, because the actions of the software seemed like malware.
As I wrote when the pop-up first appeared, Google Earth’s development team pushed out an update for Mac users, but not for the Google Earth program; rather, it was for the plug-in that allowed Google Earth to work in browsers. You don’t remember installing Google Earth or its plug-in? Join the club! Many people have zero recollection, and yet the update was pushed to their machines.
Turns out, when you use a Google software installer for any of its OS X software, the company installs a background software update agent that runs all the time. Didn’t know that? Yeah, that’s a disclosure problem. When software installs background processes, especially ones that communicate back to a mothership for whatever purpose, there should be a clear explanation of what it does—and the ability to opt out.
- You don’t know Google installs it.
- It communicates with Google without your knowledge.
- Oh, and it can’t be configured with a graphical program.
- Ermh, by the way, it doesn’t come with an uninstaller, either.
So, I was slightly surprised after my article explained how to remove the Google Earth plug-in, and also advised how to remove the software updater permanently, that I received pushback from readers—and less surprised that I heard from Google.
As I should have anticipated, people thought it was appalling that I would advise disabling the Google updater, because it’s also used for Chrome. Was I dooming people to an outdated browser with unpatched security flaws?
First, this was a temporary fix for people being driven ’round the bend by an update dialog that kept recurring. Some people were seeing it every 15 minutes. In my case, I would click Cancel and it would return several times. (Google eventually realized what was up and pulled the update off the queue; it had happened before, and its institutional memory apparently broke.)
Second, at the end of the article, I explained how to reinstall the updater. (In Chrome, type
chrome://help and you can click Set Up Automatic Updates for All Users.)
Third, when you launch an outdated version of Chrome, Google’s support documentation says that a “hamburger” menu (three stacked horizontal lines) in the upper-right corner of the browser will show green, yellow, or red indicating that an update has been available for at least 2, 4, or 7 days.
However, I discovered Google’s documentation doesn’t match current behavior with Chrome and El Capitan. After using the “nuke” option I describe in my how-to article, I installed a version of Chrome from May. The documented hamburger menu behavior didn’t occur, which is disappointing. It’s possible that this notification relies on the software updater, but that seems unlikely.
I also discovered simply launching Google and returning to
chrome://help resulted in the Google Software Updater being reinstalled in my user directory, although seemingly not configured to work automatically. And, visiting that special Chrome page downloaded and installed the latest Chrome release (requiring quitting and relaunching to load it) without any intervention or way to cancel the download.
After I relaunched the updated browser, I clicked the Set Up Automatic Updates for All Users on that page, and it removed the updater files from my user library (
~/Library/) and put them at the top-level
/Library/ directory, which makes sense, because updates are now effective for every user account on my Mac.
A Google spokesperson told me that users who want less frequent checks can run a Terminal command documented at a support page, but the first command in the sequence on that page didn’t work—the preference file that you’re supposed to check to find the current value didn’t exist even after reinstalling the updater.
I tried manually running an update check through instructions also on that page, and that worked, but the interval default didn’t reappear. I also used the
ksinstaller command-line tool that’s in the same directory as the manual updater to try to set the interval, and it failed as well, despite its error message including instructions on using it to set the interval.
Based on all of this: I think it’s reasonable that Google Chrome users would want to remove the automatic software installer until such point as Google actually gets its act together about how the software works, including providing more disclosure and a method other than via the command line to control its functions.
But I’d also suggest making a visit to
chrome://help on a regular basis to make doubly sure you’re up to date.