Mac – Are auto-downloaded malicious .dmg app files a security risk if they are never opened

dmgmacmalwareSecurityvirus

I visited a page to stream a TV show, and upon clicking the search result link got the following pop-up:

(initial pop-up)

I clicked OK, as nothing on Chrome was available, and when I did that, Chrome auto-downloaded a file called FlashPlayer.dmg.

Here is a picture of that file:

file download

I didn't open the .dmg file or click on it at all. Instead, I immediately went to my downloads folder, deleted the file, and then emptied my trash.

I then went to see my downloads on Chrome; the URL seems to be something like www.makeymcmacface.com/prod/... (which Google indicates belongs to the Mac.Trojan.Genieo.33 type of adware).

My question is this: If I download a malicious .dmg file, but don't click on it to install it, am I safe? Or is there a possibility that by simply visiting a website that auto-installs a .dmg file, I could have compromised my security?

Best Answer

If I download a malicious .dmg file, but don't click on it to install it, am I safe?

You are safe. The .dmg (disk image) file is not the actual installer. The .dmg must be double-clicked to install it before it can run any code. Even if you double-click it (so long as you leave the security feature Gatekeeper on), you must approve both the downloaded from the web alert and the authentication prompt to actually permit the install to proceed.

Is there a possibility that by simply visiting a website that auto-installs a .dmg file, I could have compromised my security?

No, your security is not compromised unless you manually install the file. The reason for this is that a website can only offer a .dmg file for download. There is no "auto-install" for a .dmg app file. You may click on a link (or a button) to start the download, but disk images themselves are not "installed" by the download process—meaning they can't run any code on your Mac until you type in your password to install them (again, because of macOS's built-in security feature Gatekeeper). The disk image is merely saved to your designated folder (typically Downloads) then waits for you to take further action by double-clicking on it to mount it. For any code from that app to be run, you have to authenticate with your password.

Bonus tip: When a website tells you that your flash player is out of date by way of a pop-up like you've shown, that should be an automatic red flag! Outdated Flash Player alerts are almost never legitimate. Instead of clicking on that OK button on the notification like you did, you should force quit your browser: choose Force Quit from the Apple menu in the menubar ()—or just press Command+Option+Esc—then select Chrome/Safari and hit Force Quit. Hold down Shift while opening Safari to prevent the website from reloading.

Related Question