Jump to content

Get rid of Open Any Files: RAR Support


Recommended Posts

My Mac was taken over by the Open Any Files: RAR Support (https://itunes.apple.com/us/app/open-any-files-rar-support/id1250827715?mt=12). I am using MalwareBytes for Mac, but it is not detecting it as malware.

This app I downloaded from the AppStore, and it won't let me anymore to open files such as Word or Excel. What is more suspicious is that the app is promoting the Trend Dr. Antivirus inside it. Did the Trend go rogue?

Any thought will be appreciated.

Edited by PeterNopSled
add the web link
Link to post
Share on other sites

I have this on my list of apps to try to get removed from the App Store. It includes an info.plist file that allows most file types to launch Open Any Files if you don't have the associated app, but in the process hijacks many of the apps that you do have. I agree that Malwarebytes for Mac (and other anti-malware software) should be  identifying it as a PUP. 

Simply trashing it should get rid of the problem.

Link to post
Share on other sites

 

Proof Video: https://youtu.be/X90Us-6TsjU

Another day after Christmas and I found out another application abusing the AppStore Apple system and end users.

The application name is Open Any Files: RAR Support.

The app is acting like a malware abusing the Mac and AppStore system to gain downloads and promoting another app.

1. The files extensions system is abused

2. The developer is fake reviewing this app to fraud the Apple AppStore system and trick Mac users to download it

 

1. The files extensions system was done by Apple for the developers for ONLY one reason: For example, if you code an application that can open a PDF file, you can add a rule into the Info.Plist file telling to the MacOS system to add your application as the opener for the PDF File.

The developer of Open Any Files is abusing this feature by adding a large set of extensions into the Info.Plist file, tricking the MacOS System that this app can open this kind of files.

Why is doing it? Because when you download a file from the internet, and you don't have an application to open it, you can go to Open with AppStore option and what happens is that AppStore will show you which app has your file extension in their plist file (in our case Open Any Files: RAR Support.

The app is acting as malware because after you install it, it takes control over your Mac and it places it as default file opener for all the extensions they have written in the Plist file.

What is worse is that this app is promoting the Trend Micro Antivirus for Mac, let me think that this company HAS SOMETHING TO DO WITH THIS.

NOW I AM ASKING MYSELF, HOW RELIABLE IS THE MOST TOP SOLD ANTIVIRUS FROM THE APP STORE?

 

2. The developer is abusing the Apple AppStore review system. Judging by how intrusive is this app and the real fact that is NOT opening any file I only can take a simple conclusion that the five stars positive reviews that this app has are fake.

Have a look at other "Open file" apps on the AppStore which are doing identical thing. NONE OF THEM HAS SO MANY POSITIVE REVIEWS.

 

Link to post
Share on other sites

  • Staff

Thanks for the info... that is definitely unethical behavior, following the pattern of something similar that we detect as malware:

https://blog.malwarebytes.com/threat-analysis/2016/08/pcvark-plays-dirty/

Dr. Antivirus does appear to be legitimately associated with Trend Micro, on initial investigation, and the Open Any Files app uses an affiliate code to link to the Dr. Antivirus page on the App Store. Dr. Antivirus appears to be junk - I threw 23 components of malware from this year at it, and it only detected 5 of them.

We're still investigating, but this does just go to show that the Mac App Store cannot be trusted. I've said it multiple times, mostly in regard to all the fake anti-virus programs in the Mac App Store, and this is just further evidence.

Link to post
Share on other sites

MBBR detected this app with the marker for it being less than trustworthy today about 40 minutes ago..

I would like to confirm that the very same computer was acting very odd Christmas day, though I cannot conclusively say it was caused by Open Any Files.app, I do have that installed and Iit may have opened a file a little earlier in the day. I assumed the instability was a Google Chrome extension at the time but it is possible that Open Any Files.app was the source of the issue.t I did reflexively think "North Korea hackers" at the time but could not pin it down. The behavior seemed to cause major hiccup in Chrome that I have never before experienced or at least not recently. I closed up an tabs that seems unusual and checked my extensions for Chrome and a scan with MBBR did not find anything.

 I did not think about being the source of my computer's odd behavior.

Link to post
Share on other sites

I doubt that what you observed was due to Open Any Files as that's not really what it was designed for, but sloppy programming might have cased some effect. The app really serves no useful purpose, so Trash it, Empty Trash and then watch to see if the problem returns.

You didn’t really tell us what behavior you observed, so it's difficult to offer any real troubleshooting advice.

Link to post
Share on other sites

There is a strong connection between TrendMicro and the Open Any File developer.
TrendMicro had even allowed access to their servers to this developer.

files: 1.png and 1a.png

The problem is that OpenFile is sending to TrendMicro servers data about your Mac system, paths, and what exactly are you doing. There is nothing specified in any user agreement about this practice and is breaking the user privacy.

file: 2.png

Another identified thing is that the OpenFile is uploading a zip file when you want to open unknown files. The zip file is password protected, something that makes me think why you should password protect some statistical data. I have strong feelings to believe that the zip archive contains the file you want to open, which is nothing more than DATA EXFILTRATION.

During the examination, I noticed that OpenFile and Trend are receiving commands from their servers precisely in the way as a C2C does.

All these facts are enough to conclude that TrendMicro is ABUSING the end user and must be added to potential unwanted programs database.

1.png

1a.png

2.png

Link to post
Share on other sites

Unfortunately I am also among those affected by this app; what I would like to ask is: why is it detected only by manual scanning and not by real-time protection when downloading it from MacAppStore and installing on my Mac?

a  explanation by treed would be appreciated

thanks

Edited by MAXBAR1
Link to post
Share on other sites

While waiting for Treed, I have a likely explanation. App Store downloads go to a temporary cache folder that can be found by entering the Terminal command:

open $TMPDIR../C/com.apple.appstore/ which is in /private/var/. I suspect that's not a directory being monitored by RTProtection since App Store apps should not contain any malware. 

IMHO, the problem with this one is that it shouldn't be in the App Store to begin with, but we all know such things happen far too often. Watching this directory will cause RTProtection to use  a small amount of additional computer resources, so although it's worth consideration by the developer, it would be a trade-off to monitor it all the time with marginal payoff. 

Edited by alvarnell
Link to post
Share on other sites

Thanks to alvarnell for the suggestion ... In the folder indicated there are only files related to the graphics card (intel hd graphics 4000) ...

message to the developers
It would not hurt if malwarebytes did a real-time check on everything that threatens the computer (whether they are downloading from the internet, from Mac AppStore, from external drives when they are connected) ... I reaffirm the need for a possibility of a scheduled scan (as for the download of the definitions), a custom  scan  (excluding time machine drives for which it should not be allowed to not compromise the backup) and automatic control of version upgrade. It would not be bad if in the menu of the Malwarebytes icon into Mac menu bar there were besides the date of the last update also the date of the last scan and the status of the computer (ok, warning, critical)...for mustn't to open malwarebytes except in warning cases

all this possibly in the next version, as soon as possible

thanks

Edited by MAXBAR1
Link to post
Share on other sites

Quote
1 minute ago, MAXBAR1 said:

In the folder indicated there are only files related to the graphics card (intel hd graphics 4000) ...

App Store Downloads are deleted immediately after the install has completed.

 

Link to post
Share on other sites

remains the security issue for the Mac AppStore  app installed but not yet used that are not detected by the protection in real time as happened to me with OpenAnyFiles.

with a scheduled scan (since it lasts about ten seconds it can be done several times a day) the problem would be at least temporarily solved while waiting for better protection in real time

Edited by MAXBAR1
Link to post
Share on other sites

In that case you would also need RTProtection to watch your Applications folder. Yet another use of resources with little payoff. That's is how most A-V software gets a bad name for slowing down the user's computer experience. Adding additional features will eventually result in an unacceptable impact on the user to the point of disabling or uninstalling it altogether. I see that happen with other products every day in the Apple Support Community forum.

Link to post
Share on other sites

  • Staff
On 12/29/2017 at 10:42 AM, MAXBAR1 said:

Unfortunately I am also among those affected by this app; what I would like to ask is: why is it detected only by manual scanning and not by real-time protection when downloading it from MacAppStore and installing on my Mac?

I just tested that, and it does quarantine the app as soon as the Mac App Store has downloaded it and moved it into the Applications folder. However, if it was already present when the database was updated, that would not result in real-time protection detecting it.

Link to post
Share on other sites

Thank you treed

That's exactly what happened to me ... when the data of this app was included in Malwarebytes it was already present in the apps I installed for a few days.
This is why a scheduled scan two or three times a day (about 36 seconds total) and status reporting at the menu level (for example, changing color - green, yellow, red - the Malwarebytes M to indicate it) would be useful.
I await a response from treed ... thanks

Link to post
Share on other sites

  • 2 months later...

I am a non-tech person. I downloaded the "Open Any File" App on my windows computer. Now I need to use an external DVD player but every time I try to do that I get a screen from the Open Any App file. I can't find anything like "Open Any File" in my program list to uninstall. I just want it to go away. Can anyone help me? I need to use this external disc drive for a new job that I have. I can't spend hours trying to fix this problem. One of the screens that I get looks like this:

image.png.85948af67963fd9515dae7105e4550ff.png

Edited by Stevetrib
typo.
Link to post
Share on other sites

I have no idea about the Windows version of Open Any File, but the Mac version is considered to be a Potentially Unwanted Process (PUP) by many anti-malware scanners, as it causes multiple issues when trying to open files on a Mac. If you were a Mac user I would recommend that you fully uninstall the application.

Link to post
Share on other sites

  • Staff
On 3/20/2018 at 5:22 PM, Stevetrib said:

I downloaded the "Open Any File" App on my windows computer.

If this is on Windows, you're in the wrong forum. This is one of the Mac forums. I personally can't answer questions about detections in the Windows software, so you might want to post this question here:

https://forums.malwarebytes.com/forum/7-malware-removal-for-windows/

If there's something called Open Any File for Windows, it may also be something that should be detected on Windows, or it may not.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.