Skip to main content
Zoom could install malware: How to completely remove Zoom from Mac

Zoom could install malware: How to completely remove Zoom from Mac


It doesn’t take a rocket scientist to grasp the whys and wherefores of the skyrocketing use of Zoom, a popular web conferencing and screen sharing solution. The novel coronavirus pandemic is to blame for the global migration of workforce into the remote domain, which poses a slew of employee interaction challenges for businesses. The role of virtual meeting tools in this paradigm is to fill the communication void by providing a way for teams to solve day-to-day tasks outside the office.

With organizations relying so heavily on this type of software these days, robust security and privacy implementation is more than welcome. Unfortunately, this doesn’t appear to be the case with Zoom. Researchers have recently unearthed several flaws in this application that can be exploited to infect Mac computers with malicious code and eavesdrop on users.

Dubious setup with a flavor of privilege escalation

One of the oddities is about the way Zoom executes the installation process on a Mac. When a new participant joins a virtual meeting, they get a prompt to download and install the app onto their machine – so far so good. As a rule, the usual setup workflow includes a number of screens allowing the user to adjust and confirm the intended action.

The problem is, Zoom skips these technicalities and simply displays a request to allow the tool to determine whether it’s compatible with the Mac. The average user will think this is just one of the installation steps and will click “Continue”. However, this actually begins the installation of Zoom, which means that the compatibility popup isn’t all fair and square.

Zoom disguises its admin password request as a system prompt

To top it off, Zoom additionally plays a sketchy trick to escalate its privileges on a Mac as part of the installation. It engages the notorious ‘AuthorizationExecuteWithPrivileges’ API and displays a dialog requesting the admin password in situations where the current user has no root permissions to make changes to the Applications folder on the machine. The worst part is that this prompt misleadingly looks like it’s generated by the system rather than by Zoom.

VMRay analyst Felix Seele who discovered these inconsistencies admits that such a simplification of the install procedure is understandable to an extent, given that it applies to scenarios when a user joins a meeting and needs to get the product up and running as fast as possible. However, this is still a lame excuse for primitively jumping through the mandatory steps and getting root privileges, which is the exact same tactic commonly used by Mac adware to spread.

Microphone and camera access behind a Mac user’s back

One more vulnerability has been unveiled by a researcher named Patrick Wardle and it’s potentially even more disruptive. The thing is, Zoom doesn’t have appropriate measures in place to thwart the injection of malicious code into its process. It means that an adversary can lace the application with dodgy components that will automatically access the system’s microphone and camera without any prompts being displayed along the way.

Security bug in Zoom allows an attacker to access a Mac’s camera and microphone

On the one hand, it’s perfectly normal for a video conferencing instrument to request access to the microphone and camera. On the other hand, leaving a loophole behind that can be exploited by an attacker to get this scope of access is a huge concern that needs to be addressed urgently. Hopefully, Zoom engineers will fix this bug before cybercrooks weaponize it to amass sensitive business data on a large scale.

If you adhere to the “privacy first” principle and would like to discontinue using Zoom until the above flaws are patched, the following steps will help you uninstall the app from your Mac. Note that the procedure depends on the Zoom version you are currently using.

How to completely remove Zoom from Mac

If the product version installed on your machine is 4.4.53932.0709 or later, then the removal workflow is as follows:

  1. Open the Zoom app.
  2. Go to the Finder, expand the zoom.us menu, and select Uninstall Zoom in the drop-down list.

    Zoom removal from Mac

  3. When a confirmation dialog appears, click OK to complete the uninstall process.

    Confirm Zoom uninstall on Mac

In case the build of Zoom you are using is 4.4.53909.0617 or earlier, then the removal logic is different and slightly more complicated. Here is what you’ll need to do:

  1. Expand the Go menu in your Mac’s Finder and select Go to Folder.
  2. Enter ~/.zoomus/ in the folder lookup area and click Go.
  3. Drag the item called ZoomOpener to the Trash.
  4. Use the Go to Folder feature to browse to the directories named /Applications/ and ~/Applications/ (with a tilde symbol) in turn. In each folder, find zoom.us.app object and move it to the Trash.
  5. Navigate to /System/Library/Extensions/ and drag the entry named ZoomAudioDevice.kext to the Trash.
  6. Once again, use the folder search feature to go to ~/Library/Application Support. Find the zoom.us item there and delete it.
  7. Empty the Trash.




1

Was this article helpful? Please, rate this.

There are no comments yet.
Authentication required

You must log in to post a comment.

Log in