How did Google get on my Mac?

6

1

I am running a MacBook Pro, and have never installed Chrome, Google Earth, or anything blatantly Google.

Just installed Little Snitch (are there no good free firewalls for Mac?) and see that CURL is sending to Google every few minutes, as is a request to Google update and more.

Little Snitch doesn't say what program set up these requests.

So, how do I find out how Google got on my machine, why is it sending so many requests (every minute or so) and how do I remove it (and is it there for reasons other than to help Google spy on me)?

SamGoody

Posted 2012-10-14T08:19:29.230

Reputation: 375

1wireshark may be useful here, as would netstat - the former detects network traffic more in depth than little snitch, and netstat detects current connections and what applications are sending stuff – Journeyman Geek – 2012-10-14T08:48:18.963

Have you configured any google service at all? say, google talk? calendar? mail? And can you provide the exact request sent to google? – Nir Levy – 2012-10-14T12:48:07.887

Answers

9

Just installed Little Snitch (are there no good free firewalls for Mac?)

One could say you don't really need a third party firewall for OS X. There's one built in, and while Little Snitch certainly does the job, I don't see lots of practical uses for it. If only, to make users paranoid. Most of the time, you want to check if some application is "phoning home", but after you get hundreds of alerts just to start up a program, it could become more annoying than useful.

If you don't want to spend any money, stick with the built-in one.

CURL is sending to Google every few minutes

This could be almost anything. If you have Google synchronization enabled through Address Book or Calendar, then contactsd will connect to Google. If not, then it's very likely that any application you have installed pings Google to check whether you're connected to the internet at all. Not very classy, but how often do you find yourself checking ping google.com in the terminal?

The primary problem here is that Little Snitch doesn't report the process that is calling curl or ping. What you can do to find out the parent process is described in this Security.SE answer. Basically, you can create a wrapper script for the binaries to find out who called them:

sudo cp /usr/bin/curl /usr/bin/curl.bin
sudo nano /usr/bin/curl.wrapper

Here, copy this:

#!/bin/sh

date >> /var/tmp/curl_ppid.log
ps -f -p $PPID >> /var/tmp/curl_ppid.log

exec curl.bin "$@"

Save with CtrlO, then press . Now:

sudo chmod 755 /usr/bin/curl.wrapper
sudo touch /var/tmp/curl_ppid.log
sudo chmod a+w /var/tmp/curl_ppid.log
sudo ln -sf /usr/bin/curl.wrapper /usr/bin/curl

Now you can see who called curl by inspecting the newly created log file in /var/tmp/curl_ppid.log.

To check which process belongs to a PID, use:

ps -fp <pid>

where <pid> is the process ID you acquired from the logfile.

If you ever want to reverse this process, this is enough:

sudo cp /usr/bin/curl.bin /usr/bin/curl

slhck

Posted 2012-10-14T08:19:29.230

Reputation: 182 472

It's annoying for the first week, after that, you'll only encounter annoying firewall confirmations every once in a while. In the 6 years I've used Little Snitch, I've fended off Strange Calls Home and Located a Trojan. – Sandwich – 2016-08-31T17:19:50.487

This doesn't work is System Integrity Protection is turned on (one cannot make changes inside /usr/bin. How does one do this without turning off SIP? – Technical Bard – 2018-03-18T14:32:14.003

1You don't see a practical use for Little Snitch? Wow. I guess you have absolute trust in every application on your Mac. I sure as hell don't. – Fake Name – 2012-10-14T10:48:51.327

2I said I don't see lots of practical uses for it, not "none at all". I certainly wouldn't trust every application. – slhck – 2012-10-14T11:03:32.720

Asked: 2012-10-14T08:19:29.230

Viewed: 2 012 times

Active: 2016-04-22T16:14:16.903