Following Mr. Urdaneta’s hints, I sought out the Skype page on the MacUpdate site and downloaded the app. The result was a file named Skype Installer.dmg, which seems legit on first glance. However, opening this disk image file results in a MacUpdate installer, very similar to the adware-riddled custom installers used by sites like Download.com and Softonic.
Sure enough, when running this installer, it will display a license agreement that the user is likely to click right past, giving the installer the right to change the browser’s settings and install a “Search-Assist” browser extension[…]
This is behavior exhibited by many adware installers these days, and this particular license agreement is identical to the ones being used by the InstallCore adware. And sure enough, once the installer is finished, an InstallCore browser extension ends up installed in Safari[…]
I download from MacUpdate all the time and had never seen this. However, I found that the Firefox (Stable Version 41.0) download mentioned in the comments does download a “MacUpdate Installer” rather than the normal Firefox. The 1Password download is also not the actual 1Password. This only happens when I’m not logged into the site.
In contrast, the SpamSieve, BBEdit, and MarsEdit downloads are pristine even when I’m logged out. It looks like the installers are being downloaded from macupdatefiles.com, whereas the others are direct from the developers’ sites. So perhaps this has to do with the (seemingly removed) option where the developer could opt in (I think—it might have been opt out) to having MacUpdate host the downloads. I’ve always had that box unchecked for my apps.
Update (2015-11-06): Weaselboy:
If you look in the user reviews on the site for Skype there is some discussion of this issue and a comment from the site’s editor Joel Mueller acknowledged they are including adware with the installer. I have screen capped some excerpts here.
Update (2015-11-16): John Brayton:
MacUpdate is adding adware to more apps. Cyberduck is the latest.
Update (2015-11-29): David Kocher:
We therefore urge users to refrain from downloading Cyberduck from download sites such as download.com, softonic.com or macupdate.com which are or have in the past distributed adware (advertising-supported installers) without our consent.
Update (2015-12-08): Pixelmator and Skim now have MacUpdate installers.
Update (2016-01-20): Adam Chandler:
Today, I was downloading the Time Lapse Encoder tool to assemble some photos I took with the GoPro and I was greeted with an installer DMG that wasn’t the one the developer used. it was some strange package with a Macupdate logo and a prompt to install Yahoo extensions and make Yahoo my homepage.
Update (2016-04-10): Keith Gugliotto:
What matters right now, though, is if you read between the lines, MacUpdate isn’t planning to do anything about how some folks out there may experience that dreadful shiver I mentioned earlier when they perceive PUA.OSX.InstallCore is a bona fide threat to their data, identity, and finances. Causing users any kind distress is not cool with us.
I’m gonna throw [this link] into the mix. Search for “MacUpdate” on that page and you’ll find it occurs 82 times, with some pretty clear indications this isn’t just our imagination – others aren’t really taking to MacUpdate Installer, either. Alarm, disgust, distrust. All reactions you want associated with your brand, right?
[…]
Here’s hoping MacUpdate updates MacUpdate Installer so that it doesn’t trip alarms in common malware scanners, or they get in touch with those malware scanner developers to see if they can prevent MacUpdate Installer from being called out as truly infected.
Update (2016-05-24): MacUpdate started using their installer for my DropDMG app but stopped when I asked.