While working on a client project last night, I notice a flicker on my mac's desktop.  Figuring it's just Time Machine doing it's job, I ignore and continue working on my project. A few seconds later, the mounted Volume icon disappears. I've never seen Time Machine complete a backup in seconds - it's a time hog. "What the hell was that??" I think...

Assuming the worst, I disconnect the system from the network and begin investigating. Digging through system logs, I find...

11/23/09 10:40:16 PM    /usr/sbin/ocspd[3377]   starting

11/23/09 10:40:29 PM    hdiejectd[3389] running

11/23/09 10:40:32 PM    installer[3402] Package Authoring Warning: GoogleVoiceandVideo.pkg authorization level is AdminAuthorization but was promoted to RootAuthorization for compatibility, ensure authorization level is sufficient to install.     

11/23/09 10:40:32 PM    installer[3402] Package Authoring Warning: Google voice and video Installer.mpkg authorization level is NoAuthorization but was promoted to RootAuthorization for compatibility, ensure authorization level is sufficient to install.

OK, so my first thought is there's a vulnerability in either ocspd or hdiejectd (neither is the case), and somebody's installing what looks like a package named "Google Voice and Video" but probably is some trojan.  I have no Google software on this system - no Picasa, GV, or whatever.  I don't even have a web browser opened at the time on any Google property.  I use Google Chat through Adium, but I'm familiar with Adium's update process - they wouldn't do crap like this. Obviously this is malicious content.  Or so I thought.

After some time Googling around, I find a few others who have complained about similar issues, most notably ArsTechnica.  While their issue is not exactly the same, it's close enough for me to realize that the "malicious" attacker I'm dealing with is Google themselves.

The point of this post is twofold - first, to help others who find strange Google installers running as root; The second purpose is to clarify what many of us find heinous about this:

•  A large established software company that should really, really know better is downloading and running an update on my system with full administrative privileges without my express consent.  Microsoft has received user floggings over doing this in the past, Google might still have a strong-enough fan club to avoid the floggings, but should still know better.
• This Google Updater is no longer supported, according to one of Google's FAQs.  Furthermore, the FAQ claims it should have uninstalled itself.  AWESOME.  Installing AND uninstalling software without my consent.
•  I'm sure at some point in the distant past I agreed to an EULA for some Google software I downloaded.  Apparently around section 4 of said EULA it stated that I was giving Google to download and run items as root.  This isn't a court of law, we're not arguing the legality of this practice - what I'm complaining about is
  • Google burning through my trust
  • The chance that Google will never have a bug in their downloads or update process is zero.  It's just a matter of time until that "silent" download screws up my box.  It took me about an hour to track down and determine my system was safe last night, for an "upgrade" that went smoothly.  When that upgrade doesn't go smoothly, I'm looking at many hours of lost productivity.

Is Google Updater running on your system?

Google Updater runs via the OSX LaunchAgent - a system similar to UNIX cron.  If the Updater has a plist config file on your system, then the Updater is installed.  From a terminal window, try using ls to find the plist file:

$ ls /Library/LaunchAgents/com.google.keystone.agent.plist

/Library/LaunchAgents/com.google.keystone.agent.plist

If you see something other than "No such file or directory," it's on your system.

Google Updater Removal

Geekology has a post explaining how to uninstall the Google Updater...it worked very well for me.