ExpandedActivity mac (virus) - Free Guide
ExpandedActivity mac Removal Guide
What is ExpandedActivity mac?
ExpandedActivity hijacks your browser and installs additional PUPs to your Mac
ExpandedActivity is a PUP that causes push notification spam, browser settings' changes, and stealthy installations
ExpandedActivity is a potentially unwanted program that changes your homepage, alters search results, adds an extension that sends you advertisement spam. Additionally, it can install other malicious programs, which could create even more difficult problems.
This application belongs to the Adload adware[1] family, which specifically infects Mac systems. Usually, this happens because of users' negligence. They can leave data exposed on the Internet, open malicious links in phishing emails,[2] not update software for vulnerability patches, install “cracked” versions of programs. It gets discovered by people when their computer starts exhibiting unusual behavior. When they rush to investigate, they come across some unfamiliar files in their machine.
The most common icon used for this virus is a magnifying glass in a green background. It also quite often contains words like “search” or “activity” in the name.
Adware[3] is a growing problem for Mac users. What is worse, this adware is much more aggressive than typical adware on a Windows machine – it can intercept and decrypt all network traffic, use randomly generated names for installed files, use analysis avoidance techniques to prevent researchers from analyzing them, create hidden users on the system with known passwords.
NAME | ExpandedActivity |
TYPE | Adware, mac virus, browser hijacker |
MALWARE FAMILY | Adload |
DISTRIBUTION | Users get infected with the virus usually by installing freeware from unofficial sources or get tricked by social engineering tactics |
SYMPTOMS | Homepage changed from default to some other search engine; increased amount of advertisements, redirects; unseen files appear in the machine |
DANGERS | Altered search results can lead to dangerous websites, as well as pop-up ads; could automatically install other PUPs or malware |
ELIMINATION | Eliminating this Mac virus manually can be very tricky if you do not have experience. The easiest way would be to deploy a professional security tool SpyHunter 5Combo Cleaner or Malwarebytes to scan your system and delete every unwanted file |
FURTHER STEPS | FortectIntego should be used to completely wipe out any data left |
Users carelessness is the most common reason for adware intrusions
Most people think that they care a lot about their online privacy and safety, but when it actually comes time to take some precautionary steps, they turn a blind eye to warnings made by security professionals. If you have internet connection, it is important to know the rules and how to keep your system safe because you are vulnerable to multiple threats.
For a long time, even the most serious Mac experts claimed that they do not get viruses. This is, of course, partially true. The probability of an infection if you do not do anything you are not supposed to compared to Windows is quite low. But if you do, malicious programs created to infiltrate macOS systems are much more sophisticated and difficult to get rid of.
ExpandedActivity is spread through deceptive ads, suspicious websites, software bundling, and fake error messages like Flash Player updates. You should already know that clicking on random links on the world wide web is not a good idea. Please make sure first that the website you want to enter is secure. This includes making sure that the link has an S at the end of the HTTP because this means that the connection is encrypted.
An even bigger no-no is downloading “cracked” apps. Firstly, this is an illegal activity and can end up in a fine or even more serious problem for you. Secondly, websites distributing freeware are usually packed with useless applications disguised as handy tools.
If you still want to proceed, you should always make sure to use the “Advanced” or “Custom” installation process not to miss any steps. If you see any unrelated files to the program that you want to get, untick the boxes next to their names.
Fake Flash Player update websites are a social engineering attack. You should never listen to prompts asking you to download software because you are in danger or your version is out of date. They are always fake. Flash Player is non-existent since 2020 and was replaced because of its many vulnerabilities by a better technology – HTML5.
Getting rid of ExpandedActivity and identifying it can get difficult because it causes many symptoms
The process of infection
Adload has been known for some time. Unfortunately for many macOS users, neither XProtect[4] nor other simple engines detect it. A rule from Apple’s current XProtect definitions requires the scanned binary to contain the string “getSafariVersion” in order to trigger a detection. So malware creators have changed their code and do not include that string. This makes XProtect unable to detect such programs since the specific rule says that the string is necessary to detect the program. But even then, it is not always enough.
Victims of ExpandedActivity will find files in easy-to-find places and some much less-known areas that can be hard to detect. Some of the files belonging to the PUP can have a .plist extension which is a normal settings' file, also known as a “properties file,” used by macOS applications. It contains properties and configuration settings for various programs.
The adware has a particular file that is a key player. It is expanded into an app that presents as an authorization dialog that asks for the admin password. It is then used to install the rest of the components. First, it will place not only a LaunchAgent in the local user Library but also two LaunchDaemons in the local domain Library.
But it does not stop there; it also installs a user cronjob[5] and an executable in a subfolder of the user’s Library Application Support folder. The subfolders have unique numbers and are likely used to track the campaign. This code runs every 2 hours and a half.
Your privacy will suffer the consequences too
Various scripts and processes will report data back to tracking servers. These transactions could contain sensitive data, such as:
- Malware Removal Tool, a security component of macOS designed to remove certain known pieces of malware
- a list of installed system configuration profiles
- a list of items in the Applications folder
- a list of installed agents and daemons
- Unique identifier of the computer
- Chrome version
- macOS version
- Safari version
- User name
- IP address
ExpandedActivity's removal
You should not do this yourself unless you know what you are doing and what kind of .plist files you need to delete. This is because most of the preference .plist files will just reset the preference of the application. To keep your mind at peace, we recommend using professional anti-malware tools SpyHunter 5Combo Cleaner or Malwarebytes, which can detect unwanted programs and eradicate them completely. If you still want to try and delete it manually, follow the steps:
- Open Applications folder
- Select Utilities
- Double-click Activity Monitor
- Here, look for suspicious processes related to adware and use Force Quit command to shut them down
- Go back to the Applications folder
- Find ExpandedActivity in the list and move it to Trash.
If you are unable to shut down the related processes or can't move the app to Trash, you should look for malicious profiles and login items:
- Go to Preferences and select Accounts
- Click Login items and delete everything suspicious
- Next, pick System Preferences > Users & Groups
- Find Profiles and remove unwanted profiles from the list.
There are likely to be more .plist files hiding in the following locations – delete them all:
- Select Go > Go to Folder.
- Enter /Library/Application Support and click Go or press Enter.
- In the Application Support folder, look for any dubious entries and then delete them.
- Now enter /Library/LaunchAgents and /Library/LaunchDaemons folders the same way and terminate all the related .plist files.
The manual elimination process might not always result in full virus removal. Therefore, we still strongly suggest you perform a scan with security software.
Fixing your hijacked browser
ExpandedActivity adware also employs an unwelcome browser add-on which messes with the settings. After the dangerous files are eliminated from your system, you should take care of your browsers. You can get rid of cookies and cache automatically with the help of FortectIntego. Doing it manually is also an option, but it might take some time if you use several browsers. If you are using Safari, you should proceed with the following steps:
- Click Safari > Preferences…
- In the new window, pick Extensions.
- Select the unwanted extension and select Uninstall.
Cookies and website data:
- Click Safari > Clear History…
- From the drop-down menu under Clear, pick all history.
- Confirm with Clear History.
The simplest and quickest solution to this is completely resetting Safari:
- Click Safari > Preferences…
- Go to Advanced tab.
- Tick the Show Develop menu in menu bar.
- From the menu bar, click Develop, and then select Empty Caches.
Step-by-step instructions for other browsers you can find at the bottom of this article.
Getting rid of ExpandedActivity mac. Follow these steps
Remove from Google Chrome
Delete malicious extensions from Google Chrome:
- Open Google Chrome, click on the Menu (three vertical dots at the top-right corner) and select More tools > Extensions.
- In the newly opened window, you will see all the installed extensions. Uninstall all the suspicious plugins that might be related to the unwanted program by clicking Remove.
Clear cache and web data from Chrome:
- Click on Menu and pick Settings.
- Under Privacy and security, select Clear browsing data.
- Select Browsing history, Cookies and other site data, as well as Cached images and files.
- Click Clear data.
Change your homepage:
- Click menu and choose Settings.
- Look for a suspicious site in the On startup section.
- Click on Open a specific or set of pages and click on three dots to find the Remove option.
Reset Google Chrome:
If the previous methods did not help you, reset Google Chrome to eliminate all the unwanted components:
- Click on Menu and select Settings.
- In the Settings, scroll down and click Advanced.
- Scroll down and locate Reset and clean up section.
- Now click Restore settings to their original defaults.
- Confirm with Reset settings.
Remove from Mozilla Firefox (FF)
Remove dangerous extensions:
- Open Mozilla Firefox browser and click on the Menu (three horizontal lines at the top-right of the window).
- Select Add-ons.
- In here, select unwanted plugin and click Remove.
Reset the homepage:
- Click three horizontal lines at the top right corner to open the menu.
- Choose Options.
- Under Home options, enter your preferred site that will open every time you newly open the Mozilla Firefox.
Clear cookies and site data:
- Click Menu and pick Settings.
- Go to Privacy & Security section.
- Scroll down to locate Cookies and Site Data.
- Click on Clear Data…
- Select Cookies and Site Data, as well as Cached Web Content and press Clear.
Reset Mozilla Firefox
If clearing the browser as explained above did not help, reset Mozilla Firefox:
- Open Mozilla Firefox browser and click the Menu.
- Go to Help and then choose Troubleshooting Information.
- Under Give Firefox a tune up section, click on Refresh Firefox…
- Once the pop-up shows up, confirm the action by pressing on Refresh Firefox.
Delete from macOS
Remove items from Applications folder:
- From the menu bar, select Go > Applications.
- In the Applications folder, look for all related entries.
- Click on the app and drag it to Trash (or right-click and pick Move to Trash)
To fully remove an unwanted app, you need to access Application Support, LaunchAgents, and LaunchDaemons folders and delete relevant files:
- Select Go > Go to Folder.
- Enter /Library/Application Support and click Go or press Enter.
- In the Application Support folder, look for any dubious entries and then delete them.
- Now enter /Library/LaunchAgents and /Library/LaunchDaemons folders the same way and terminate all the related .plist files.
How to prevent from getting adware
Do not let government spy on you
The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet.
You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.
Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.
Backup files for the later use, in case of the malware attack
Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.
When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.
- ^ Phil Stokes. How AdLoad macOS Malware Continues to Adapt & Evade. Sentinel Labs. Security blog.
- ^ Webroot. Email Phishing, Vishing & Other Types of Attacks. Webroot. Cybersecurity Resources.
- ^ kaspersky. What is Adware? – Definition and Explanation. kaspersky. Resource Center. Threats.
- ^ Apple Platform Security. Protecting against malware in macOS. Apple Support Page.
- ^ Wikipedia. cron. Wikipedia. Free Encyclopedia.