Are auto-downloaded malicious .dmg app files a security risk if they are never opened?

I visited a page to stream a TV show, and upon clicking the search result link got the following pop-up:

(initial pop-up)

I clicked OK, as nothing on Chrome was available, and when I did that, Chrome auto-downloaded a file called FlashPlayer.dmg.

Here is a picture of that file:

file download

I didn't open the .dmg file or click on it at all. Instead, I immediately went to my downloads folder, deleted the file, and then emptied my trash.

I then went to see my downloads on Chrome; the URL seems to be something like www.makeymcmacface.com/prod/... (which Google indicates belongs to the Mac.Trojan.Genieo.33 type of adware).

My question is this: If I download a malicious .dmg file, but don't click on it to install it, am I safe? Or is there a possibility that by simply visiting a website that auto-installs a .dmg file, I could have compromised my security?


If I download a malicious .dmg file, but don't click on it to install it, am I safe?

You are safe. The .dmg (disk image) file is not the actual installer. The .dmg must be double-clicked to install it before it can run any code. Even if you double-click it (so long as you leave the security feature Gatekeeper on), you must approve both the downloaded from the web alert and the authentication prompt to actually permit the install to proceed.

Is there a possibility that by simply visiting a website that auto-installs a .dmg file, I could have compromised my security?

No, your security is not compromised unless you manually install the file. The reason for this is that a website can only offer a .dmg file for download. There is no "auto-install" for a .dmg app file. You may click on a link (or a button) to start the download, but disk images themselves are not "installed" by the download process—meaning they can't run any code on your Mac until you type in your password to install them (again, because of macOS's built-in security feature Gatekeeper). The disk image is merely saved to your designated folder (typically Downloads) then waits for you to take further action by double-clicking on it to mount it. For any code from that app to be run, you have to authenticate with your password.


Bonus tip: When a website tells you that your flash player is out of date by way of a pop-up like you've shown, that should be an automatic red flag! Outdated Flash Player alerts are almost never legitimate. Instead of clicking on that OK button on the notification like you did, you should force quit your browser: choose Force Quit from the Apple menu in the menubar ()—or just press Command+Option+Esc—then select Chrome/Safari and hit Force Quit. Hold down Shift while opening Safari to prevent the website from reloading.


You are always safe when you don't open the DMG as the app is in a container and it can't execute itself.

Security tips regarding downloads:

  1. You always get a popup question of OS X if you want to open this file.
  2. OS X is standard secured to only open applications that are downloaded from the App Store. Even if you want to install a application that is not from the App Store you still need to disable the security (via Settings > Security and Privacy > press the lock in the bottom left corner, enter your passcode and set 'Anywhere'.)

You are probably safe

As long as you don't open or install anything it is pretty hard to get a virus.

If you haven't disabled gate keeper (an internal system process that makes sure that software from unidentified developers does not open unless you type in an admin password to confirm that they are safe) you are 99.99% safe.

For future reference: A .dmg file is a disk image file. Even when you open a .dmg, it will only mount the disk. This means that it opens up a little folder on your desktop kinda like when you put a CD in your mac. You can't edit the folder, you can only eject it. To eject the mounted disk, just click the little eject button, or drag it to the trash can.

Here is a quote from wikipedia about disk images

An Apple disk image allows secure password protection as well as file compression, and hence serves both security and file distribution functions; such a disk image is most commonly used to distribute software over the Internet.

HOWEVER:

If your browser keeps opening up these malicious advertisements, you may have adware already in your computer (check through your chrome extensions). Any extension that installs a new search engine is likely adware.

Pro tip: Install Adblock. It is damn near impossible to get a virus with Adblock unless your are actively seeking out malicious websites. Adblock will prevent sites from opening up these annoying pop-ups and will remove ads from youtube and basically every other site on the internet. https://chrome.google.com/webstore/detail/adblock/gighmmpiobklfepjocnamgkkbiglidom?hl=en-US


I'm going to make this easier for you to understand.

  1. Am I safe, if a suspicious file was downloaded but never opened or installed in my Mac?

Yes you are safe.

  1. Am I safe, if I was redirected to an unknown website, when I clicked on a notification shown on another website?

No, not really. There are 99% chances, that you get infected by 0day exploits used by hackers, to turn your computer into their bot. In order to protect yourself from such hack attempts and attacks, always use popup & ad blockers, and avoid visiting sites, which redirect or opens popups.