Malware often disguises itself inside of seemingly non-malicious files, such as installer packages, where it can then gain root access to your computer to track activity or steal your information.
While your Mac does a good job of protecting you, thanks to built-in features like Gatekeeper, there are other preventive steps you can take to check if third-party apps not hosted in the Mac App Store are safe to install.
- Don't Miss: How to Open Apps from Unidentified Developers
There are two ways to install Suspicious Package on your computer. First, is by downloading a software installer package (linked below).
Since it does seem sort of paradoxical to download an installer package without viewing what files are contained within it, the devs offer the option to directly place the Suspicious Package plugin in your Library folder. First, download the XIP archive (linked below) and extract the plugin.
Now open Finder, click on "Go" in the menu bar, hold down on the Alt/Option key to bring up the Library option, then click on it. Inside of Library, create a folder called QuickLook.
If you want to make Suspicious Package available to all users on your Mac, create a QuickLook folder in the main Library folder on your startup disk (most likely called Macintosh HD) instead. Chances are, you already have one there anyway, so you won't need to create one.
Drag the Suspicious Package plugin you extracted earlier into the QuickLook folder. Delete this same plugin at any time if you ever want to uninstall Suspicious Package.
Finally, to get Suspicious Package working, you'll either need to reboot your computer or enter the following command into Terminal:
When you hit the Enter key, Suspicious Package will begin working.
Using Suspicious Package is easy: simply find an installer package on your computer, right-click on it, and select the "Quick Look" option.
Instead of the typical preview, a window will appear that shows you what files will be installed, what scripts will run, the validity of the signature on the package, and more.
Now that you know how to access the insides of installer packages, it's crucial to learn how to read this information in order to make sure that what you're installing on your Mac is safe.
At the top of the Suspicious Package window, you'll get a quick look at the name of the installer, the package signature, the amount of scripts that will run, the size of the file, and the last time it was modified. Out of all the information in this section, the one you want to focus on is the package signature, which is what OS X uses to help protect users from installing malicious software.
In the screenshot below, you can see that the package was signed with a valid Developer ID certificate (hence the badge in grey), issued to a third-party developer by Apple, which allows the developer to distribute their software without having to use the Mac App Store.
Over on their FAQ page, you can check out a few of the signature types that you should look out for, including four that are trusted (in grey and blue) and three that are not trusted (in red). If the package you want to install has a signature type with a red badge, don't install it.
Other indicators for malicious activity are the installed files found at the bottom of the Suspicious Package window. Depending on the size of the package, you might have just one file or many, which you can see below.
The package I was checking out was for Microsoft Office, so I found files for installing Word, PowerPoint, Excel, and more. Check this section thoroughly for any files that might seem suspicious in regards to the type of app you're installing. If you're installing a music player, for example, you know something is fishy if you see that "Bing Toolbar" is being installed too.
With Suspicious Installer and all of the existing security features on your Mac, you'll never have to worry about installing any malicious files again.