PSA: The FileZilla for Mac Installer Contains Malware

This is just a public service announcement that the FileZilla installer for OSX from the official project page contains malware. This has been an issue for at least a year at this point (see this Hacker News thread and this thread on the official forums) but it’s something I actually encountered this morning: as soon as I downloaded the installer, Bitdefender detected that it contained the SpiGot adware engine.

The adware isn’t coming from FileZilla directly. The issue is that FileZilla uses SourceForge to host and distribute their binaries, and SourceForge’s installation wrapper adds malware installers to generate revenue. In exchange, FileZilla’s developers get a small kickback. The inclusion of malware in the SourceForge wrapper has been happening for years now without the consent of the developers, but FileZilla has decided to stick with SourceForge rather than finding an alternative source of funding.

A few takeaways:

  1. Mac users can benefit from an antivirus program. When I worked in my college’s IT department, I saw enough infected MacBooks to convince me that the whole “Macs don’t get viruses” idea is outdated. Today, Bitdefender for Mac saved my bacon.
  2. Sourceforge continues to be awful, and at this point should probably be approached with the same kind of caution you’d use for a Torrent site or something.
  3. FileZilla’s community is surprisingly toxic. I discovered this while I was looking online to see if anyone else had reported the infected installer. Almost all of the threads on the official forum were deleted, and people in other discussion forums who discuss the controversy say that the project’s creator was actually trying to justify the malware inclusion. In my humble opinion, something as boring as an FTP client should not come with drama.
  4. It turns out that Cyberduck is a pretty solid alternative to FileZilla. It’s GPL-licensed and free to download, but it’s well worth the ~$20 it costs for the paid App Store version. I’ve also heard good things about Transmit, though I can’t personally vouch for it.