EtreCheck is Malware
Is EtreCheck safe? NO!
EtreCheck does not meet Apple's standard for acceptance into the official App Store.
Don't be fooled by those high-level users on Apple Support Communities no matter what level they are. This is social engineering done to make you think it's perfectly ok to download an unknown program from the internet that can't make it into the App Store. Numerous versions of EtreCheck have been proven to contain malicious code and contact IP addresses that are known to host malware files according to top anti-virus companies including McAfee, TrendMicro, AVG, Avast, AegisLab, and more.
What better way to disguise malware than as a "friendly checkup" app that helps you diagnose "beach-balling" and remove "bloatware"? In computing, a trojan horse is defined as a program designed to breach the security of a computer system while ostensibly performing some innocuous function. Who would think that something that is supposed to fix problems is actually a problem itself? There have similarly been cases of virus scan software that actually was malware itself.
EtreCheck may identify some issues your computer has but who cares if it also gets administrator access to your computer, installs a command and control server, and can do things like access your files and webcam without you knowing? That's exactly what reverse engineering of the program has discovered it is capable of doing. It's not a totally useless program because, in addition to its clandestine activities, it also might help people remove other competing malware programs.
It seems a technique called social engineering is being used to trick users and convince them that it is safe to download EtreCheck since it is being recommended by a high-ranking forum user or multiple users.
Since many users have an innate trust in all things Apple, they understandably are under the impression that these high-ranking forum users are either actual Apple employees or thoroughly vetted by Apple who would surely act to stop such widespread victimization of its customers.
Unfortunately, Apple maintains that these users are not Apple employees and that Apple does not verify the statements made in these forums. Even though there is some moderation, it's typically for clear violations like a post containing personal information or profanity.
Those high-level user accounts commonly make statements like "delete your antivirus software," "there's no such thing as malware for Macs," and repeat the same conclusions over and over again without offering the slightest bit of proof or references. If you try to confront an EtreCheck pusher with evidence they will make up any excuse why you're wrong, simply ignore you, or resort to insults instead of engaging in productive dialogue. It almost seems as if Apple condones this to help maintain their image as a magically superior operating system that isn't affected by the vary same issues that made customers switch over to them in the first place.
macOS does definitely have some additional protections built in and Apple does patch known exploits and has in every single upgrade you've installed probably ever, but that doesn't mean that the exploits didn't exist. They can only address known exploits that get reported to them either threw the US governments official reporting mechanism NIST's National Vunerability Database Common
You may have heard of the program which claims to help people identify and resolve problems with their Mac. It is continuously recommended on the Apple-sponsored support forum as a "friendly checkup". A user would be inclined to trust the recommendations of the high-ranking users whose countless hours, days, and years have been spent answering questions, surely out of the goodness of their hearts, right?
Not necessarily...
But either way, it's safe to assume that everything is verified by an all-knowing genius Apple moderator, right?
Unfortunately, that assumption may have convinced more than 500,000 people to download the trojan horse malware directly from the developer's website, since it's unavailable in the official App Store.
How this has been allowed to continue all these years is frankly sad and one can only assume it simply hasn't come to the attention of the right person who could put a stop to it or that Apple is too embarrassed to admit such a mistake. The belief that Apple products are immune to compromise has slowly been degraded over the years as a result of various incidents admitting fault here could draw the ire of countless users and even result in legal repercussions for Apple as a result of their failure to act and protect their customers.
The proof of EtreCheck's malicious activity isn't difficult to identify and can easily be seen by using various free malware analysis tools online. VirusTotal is one such tool that detects malware using data from more than 60 of the largest anti-virus company's databases of malware threats. It's like running 60+ different anti-virus scans on a file at once and seeing if any of them detect any signatures of code they've previously identified as malware.
A report of the software developer's website shows that many versions of Etrecheck have been uploaded to VirusTotal and have been identified as malware or are closely related to malicious files, IP addresses, and display other indicators of compromise by highly trusted names like McAfee, AVG, TrendMicro, Avast and AegisLab, the MITRE Corporation (a non-profit at the intersection of computer science and national defense), Snort, VirusTotal, Bro, Crowdstrike/Hybrid Analysis.
The graph below was generated by VirusTotal and illustrates the complex manner in which EtreCheck operates. It was made using a 2018 version of the program which can be confirmed by looking at the unique identifier, it's sha256 digest (the long string under File Name that starts with b37424). This number is calculated using one of a number of formulas that allows any computer to arrive at the same string of characters for the same file if it contains exactly the same data inside of it. If there are any changes made to the data contents, the string of characters will not be the same. Security features like encryption, certificate authorities, and code signing use their preferred algorithm to make sure that the string of characters matches what is expected.
It's safe to assume that the data sent to Virus Total is in fact the file it claims to be, an authentic version of EtreCheck. The certificate allows us to know that this is almost certainly the file the developer intended it to be.
The program also recently was confirmed making communications with a known malware server (shown below) which the developer later claimed he had no idea why.
Debunking Myths About the Trustworthiness of Etrecheck and Etresoft
Myth #1 - "Etrecheck is safe because it has a valid certificate issued by Apple"
False. A certificate has nothing to do with the safety of a file. Anyone can sign up for a developer account for free and get a Developer Certificate backed by Apple's certificate. They're issued automatically and on demand. Click the Arrow to the right to read more.
According to Apple's documentation on Code Signing:
"Benefits of Code Signing
Ensure that a piece of code has not been altered since it was signed. The system can detect even the smallest change, whether it was intentional (by a malicious attacker, for example) or accidental (as when a file gets corrupted). When a code signature is intact, the system can be sure the code is as the signer intended.
Identify code as coming from a specific source (a developer or signer). The code signature includes cryptographic information that unambiguously points to a particular author.
Determine whether code is trustworthy for a specific purpose. Among other things, a developer can use a code signature to state that an updated version of an app should be considered by the system to be the same app as the previous version.
Limitations of Code Signing
Code signing is one component of a complete security solution, working in concert with other technologies and techniques. It does not address every possible security issue. For example, code signing does not:
Guarantee that a piece of code is free of security vulnerabilities.
Guarantee that an app will not load unsafe or altered code—such as untrusted plug-ins—during execution.
Provide digital rights management (DRM) or copy protection technology. Code signing does not in any way hide or obscure the content of the signed code."
So the only determination that can be made from a piece of software that has a certificate is that it is in fact the same data as whoever the certificate was issued to intended it to be. The only thing a code signed/certificate proves is that this is the actual data that EtreCheck wants it to be which is important because further investigation proves that the same code has malicious intentions. So if it's not altered and it is malicious we can safely conclude that the developer of EtreCheck created the malware intentionally as opposed to some sort of man-in-the-middle type attack.
Myth #2 - You can trust those who push EtreCheck - they even use their real names!
False. This is the internet. You shouldn't just trust anyone, especially anyone who says to just trust them. You should do your own research and fact-check information.
Do you really think there are even 10-20 people who are that dedicated to answering questions even though they don't work for Apple and aren't being compensated? This should trigger your spider sense. What is their motivation for spending so much time trying to convince Apple customers that it's still 2004?
I shouldn't have to tell you this but this is the INTERNET. The fact that a bunch of user accounts on Apple Support Communities exist and act as if they know each other in the real world means absolutely nothing. These user accounts could all be one person or even a bot programmed to respond to people on that forum. They know that no one will ever know who really is behind the accounts so they can invent whatever persona they wish to have and expect you to believe them or they will shun you as an outcast. This is otherwise known as "groupthink" and a new user asking a question will likely forgo their critical thinking and adopt an irrational principle (like their MacBook Pro is magical) so as not to upset the group or be thought of as being in the "outgroup".
Myth #3 - "Macs Can't Get Viruses"
False. Macs are only slightly less vunerable to malware than any other operating system and there are 9,810 documented exploits that have affected Apple products.
Here you can see the EtreCheck App .zip file which was obtained from the official website via the large download link in the top right corner. The file being studied is the blue one that all of the highlighted blue lines connect to next to 2018...
The files below it are bundled in its package.
The arrow above it going to the left indicated it contacts malware servers at 23.73.156.158 and 69.163.152.207 that host a large number of various files that have tested positive for malware.
Source: VirusTotal
https://www.virustotal.com/graph/http%253A%252F%252Fetresoft.com%252F
Please also see this report from reverse.it that shows how the malware is designed to even infect Windows based computers: https://www.hybrid-analysis.com/sample/c19ac1f71e4710fa6fbc0becbe9e3664b6e2b42fc5ce617c681eded66ab59f8c?environmentId=100
Did you know your Mac also has a 32 bit Windows compatible operating system built right in?? Well kind of. Your computer boots from a UEFI http://www.uefi.org/ (Unified Extensible Firmware Interface, however Apple documentation specifies it is to be referred to as just EFI although it is UEFI's UEFI EFI).
EFI is a 32 bit operating system which both Windows and Mac computers all use as an interface between hardware and the operating system since at least 2011. This 32 bit architecture is vulnerable to malware pretty much just like an old Windows 95 PC was and malware installed in the boot partition of a computer can be extremely evasive and persistent, even surviving wiping and reinstalling the operating system and if stored in a hard drive's special service area typically reserved for the drive's own firmware enable the malware to persist even erasing the physical disc.
If you have a spinning disc HDD it has a service area for its firmware and is not an Apple product; typically Samsung or another manufacturer is the maker of the physical hard drive. SSD and Macs with the TouchBar/TouchID have other storage areas that are not part of the main hard drive. Examples include your SMC, NVRAM (PRAM for you dinosaurs), Secure Enclave, integrated graphics in your CPU as well as discrete graphics processor, RAM that has been reconfigured as RAMDISKS and/or is maintaining memory battery or the small special battery similar to those in your cars keyfob that a computer needs to for time keeping without other power. For example, Apple even recommends wiping your SMC and NVRAM when things go astray and has provided a utility to wipe the Secure Enclave that should be used by all users before selling or giving away a Mac with a TouchBar.
