how to remove Google’s secret update software from your mac
If you’ve ever downloaded Chrome, even for just a trial (guilty!), you might not be aware that Google have slipped a little bit of hidden software into your Library.
This software is called Google Updater, and it secretly “calls home” on a regular basis and downloads updates to your Google software without either asking before, or notifying you after, doing so. In Developer circles, this is considered very shady practice. Users should be asked for consent and informed when software makes changes to either itself or the user’s computer, and ideally those notifications should tell the user what has been changed and how the changes could impact them.
Before I beat this drum any harder, however, I owe you at least the other side of the story. If I worked for Google, I’d probably come up with this response: “Hey look, a major source of computer virus and malware infections is that users are often using out-of-date software that hasn’t been patched to combat newly-discovered exploits. No matter how much we tell users to keep ther software up-to-date, the truth is the majority don’t. We provide an automatic updater so that users don’t have to worry about it, and can be assured they’re always using the latest and safest version of our software”.
I’ve heard this argument so many times, I don’t doubt it’s something close to what Google would actually argue. My problem with this is that while automatic updates can be a good thing if they’re security related, it’s not at all clear why an app should be updating itself automatically for any other reason, or why it’s updating itself without providing notifications about when and what updates were made.
If an independent developer did that, they’d almost certainly find their software labelled as “suspicious” at best, and “dangerous” at worst. The fact that Google is a multinational, global enterprise with a stranglehold on the internet, and which is often tangling with the law in countries throughout the world, may make you feel more or less confident that they can be trusted more than independent developers, whose income depends very much on their reputation. I’ll leave that one for the reader to decide. 😉
Do I have Google Updater?
To see if you’ve got Google Updater hiding on your system, try this quick test in Terminal. Triple click the line of code below to highlight it.
defaults read com.google.Keystone.Agent
If you’ve previously installed my Terminal workflow, just hit control-opt-cmd-T or right/control click and choose “Services > Run in Terminal” from the contextual menu. Alternatively, if you have my free utility app FastTasks 2, the Analyser’s Profile view will show you if Google Updater is installed (see ‘Locate Google Updater’ below for the locations to check in the profile view). Elsewise, manually copy and paste it into a Terminal window.
If the result comes back as
Domain com.google.Keystone.Agent does not exist
you’re fine. Google Updater has not found its way into your system. Anything else and you’re going to need to decide whether you want to remove it or not. If you’re a regular Chrome user, keeping Updater might prove convenient, though you’ll have to live with the idea that the app is updating itself in ways over which you have no control. If you rarely or never use Chrome, there’s no reason to have this hidden process regularly calling home to Google every time you’re connected to the net.
How do I remove it?
You have two options. You can either disarm it or you can nuke it. Disarming it is simplest, it’s a one-line Terminal command:
defaults write com.google.Keystone.Agent checkInterval 0
This command tells the Updater how often to “call home”. A value of 0 basically means ‘never’. Disarming it is probably better than nuking it if you still keep Chrome on your system and use it occasionally. You can temporarily set it back to something like ‘once a week’ from time to time to check for security updates with
defaults write com.google.Keystone.Agent checkInterval 604800
Nuking the Google Updater is a bit more complex. You’ll want to run some uninstaller commands, and then you’ll want to go and clear up the crud that is still left behind. And before you can do either of those, you need to find out where it’s hiding. So, we have a three-step process.
1. Locate Google Updater
Triple click the first of these two lines, and choose ‘Services > Reveal in Finder’ from the contextual menu (that’s another right-click or control-click on the selected line), and then repeat for the second line:
~/Library/Google
/Library/Google
You will likely get the error message “The operation can’t be completed because the item can’t be found” from one of these lines, but not the other. Note that the difference is all in the presence or absence of the tilde ~. Make a note of which one worked, and run the appropriate commands in step 2.
2. Run the uninstaller commands
Run these in Terminal (again, triple clicking to highlight and doing the usual trick afterwards with shortcut key or Services menu if you have my workflow installed), one at a time:
Updated, Jun 2018:
If the Updater was in your user library (with the tilde ~), then first triple-click this (it’s all one line) and run it in the Terminal:
~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/ksinstall --uninstall
then this:
touch ~/Library/Google/GoogleSoftwareUpdate
If the Updater was in your domain library (no tilde ~), then first do this (it’s all one line):
sudo /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/ksinstall --uninstall
and enter your Admin password (note that you won’t see any indication of your password being typed in the Terminal window). Then do this:
sudo touch /Library/Google/GoogleSoftwareUpdate
3. Clear up the crud
If the updater was in your user library, open that now and go to
~/Library/Google/
and delete the folder called ‘GoogleSoftwareUpdate’. If you don’t use any other Google software (I don’t), you can just delete the entire ‘Google’ parent folder.
If the updater was in your domain library, search for the same folder and send it to the trash. You will need to give Finder your admin password to authorise the move.
Next, let’s just check the uninstaller was successful. Look for the following. If you don’t find them, good (the installer did its job). If you do, help them on their way to oblivion by sending them to the trash:
~/Library/Caches/com.google.Keystone.Agent
~/Library/LaunchAgents/com.google.Keystone.agent.plist
~/Library/Preferences/com.google.Keystone.Agent.plist
If you’ve deleted Chrome from your Applications folder too, then you might as well hunt down and exterminate its prefs list while you’re at it:
~/Library/Preferences/com.google.Chrome.plist
The following sources were used in researching this post:
http://wireload.net/products/guu-google-update-uninstaller/
http://raamdev.com/2008/howto-remove-google-software-update-on-mac-os-x/
http://blog.slaunchaman.com/2010/06/30/google-earth-now-available-without-automatic-updates/
https://support.google.com/installer/answer/147176?hl=en
‘Don’t be evil’ picture was remediated from here.
Related Posts
Terminal tricks for defeating adware
Posted on July 13, 2014, in Security and tagged Chrome, google, Mac, spyware, Updater. Bookmark the permalink. 27 Comments.
applehelpwriter.wordpress.com 
I don’t have Chrome installed anymore. Terminal reveals the Keystone agent is active. I then started the procedure above, but *both* libraries reveal ok in Finder. So what do I do in that case? Thanks
“~/Library/Google
/Library/Google
You will likely get the error message “The operation can’t be completed because the item can’t be found” from one of these lines, but not the other”
If you’re not using any Google products on your mac, remove them both.
By running the script(s) (if so which one/s?) … or just deleting those folders? Thanks
Is this set of instructions for Mac or Windows? Thank you
Thank you! I had already found com.google.keystone etc. in Launch Agents, but didn’t know what it was. Looking because of annoying pop-up to update Google Earth which I don’t even have on my Mac. Figured out that it was somehow related to downloading Chrome a day ago and had deleted Chrome, but your article and solutions answered all my questions and helped me clean this nasty out. TIP: Tell people to look in their “Preference Panes” as well as “Preferences” and also in “Launch Daemons” as well as “Launch Agents.”
Thank you Philastokes! How you ever figured it out, I’ve no idea.
Phil – I used Firefox for many years but discontinued because it is no longer very secure; Safari seems too limited for me, and, I took the plunge to Chrome a month ago but am having serious doubts. What brower(s) work for you
? Thanks.
Hi Steve
My current favourite is Opera Developer.
Thanks for your suggestion. I’ve been using Opera. However, I just read that ~2 weeks ago Opera Browser was approved to be sold to China. Have looked at Vivaldi and Brave, and then there’s Chromium, but realistically it comes down to Safari and Chrome. Sigh.
Out of interest, why didn’t you like Vivaldi?
Based on your much appreciated indirect recommendation, I did deeper Vivaldi research. I’m now using Vivaldi as default browser. Prior to today, my lack of interest was based on the fact that it was too small a niche as of yet, maybe not mature enough, and how can they survive especially with Desktop browser direction and future becoming more murky as Mobile continues to dominate. But, reading their blogs,forum and better understanding their history, commitment, and the friendly mutual loyalty that exists between the developers and global users, I came to appreciate that Vivaldi might be sustainable if it can continue to grow sufficiently. It’s refreshing to be a supporter of this browser effort to preserve proven common sense features, good feature combination, and innovation to boot.
[ On another NOTE: I am using a couple of your numerous products (DetectX purchase and also FastTrack 2), and will be looking further at some of your other tools, in time. And thanks for your assistance related to my concerns/questions. ]
I think Vivaldi is a very good browser and deserves all the support it gets. It’s what I was using before I switched to Opera Developer (largely because of the built-in ad blocker and VPN service).
fyi, I saw the blog donate button at bottom and will be donating. I had just stumbled on your site/blog when I first I made contact, and much appreciate your time/help.
I really liked Opera’s ad blocker as well. With Vivaldi I still have access (albeit an extension) to Ublock Origin which I like, though maybe it does not do precisely the same thing(s).
Regarding ‘Opera’:
(1) Of course you do not have to answer this, but am curious how new company ownership would not seem to be a concern for you. If Vivaldi does not sustain itself (I still don’t know how they can monetize being so small), I may be looking again at …. Opera?
(2) I initially used Opera Developer, but later switched to Opera Stable (Opera Beta of course being the other option). ‘Developer’ worked flawlessly, but I was concerned that it might be more prone to security holes by just virtue of its being ‘Developer’ mode. And at those points when Developer has security fixes in it (probably in every iteration), I would hope/think they would push it out asap, and maybe they do. But from what I read, it seems that they infrequently update Opera Stable. What are your thoughts?
Hi Steve
I understand your concerns. Security is becoming an increasingly bigger issue, and it’s only going to become more so moving forward.
I think everyone has to answer the security question for themselves. In relation to browsers, what does the user use the internet for and what kind of threats do they realistically face? I think when you have solid answers to those questions, you can make informed choices and take appropriate actions.
So, if I look at my own case, I can answer your questions, but my answers might not be applicable to other people’s situations.
1. What do I use the browser for?
Mostly light browsing, news, blogging, but I also manage a small software business primarily via a browser. Which leads to:
2. Do I visit any secure sites?
Yes the sites related to my software business and this blog require a certain level of trust, but I don’t use the browser (any browser’s) built-in password manager to store passwords. I use a trusted 3rd party password manager (1 PassWord). The level of intrusion I need protection against is criminal hackers. I don’t need protection against State actors / government agencies.
3. Do I worry about privacy concerning the sites I browse?
Again, no. My browsing behaviour is fairly mundane, and you don’t need to hack my browser to find it out: ArsTechnica, Apple, Guardian and a few tech sites. English football , that’s it.
4. I don’t do online banking, but again if I did I’d see that as a threat from criminal hackers rather than state actors.
5. Am I worried about Opera being owned by ‘the Chinese’.
TBH, I hadn’t heard of this before you mentioned it, and I haven’t had time to look into it yet (I will do, though). I don’t know whether that means the Chinese state or some private Chinese company. Either way, I don’t fear the Chinese gov’t snooping on me any more (or less) than the American or British gov’ts snooping on me. I do think that if you use Opera Developer’s built-in VPN, you’d be foolish to put anything through it that you think is ‘sensitive’. I don’t entirely trust ssh, and I certainly don’t trust private VPN companies to deliver anything other than speed. Security is not what they’re offering, no matter what they say in their promo material.
I do worry about powerful entities censoring or manipulating information, but I don’t think that’s a live issue with browsers at the moment. Google, Facebook and a number of large political lobbying forces have certainly been influencing social media for some years now. I don’t think my choice of browser makes much difference here.
6. Am I worried about security bugs in Developer releases?
Yes! I worry about bugs in public releases too. In fact, I worry about bugs in software all the time. Again, though, the security threats I think I face are from criminal hackers. I let my browser handle as little of my security as I can, but of course, there’s no knowing what you don’t know till its too late (it’s why I also use my own products, especially DetectX, on a daily basis — apologies for the shameless plug there!). Although Developer releases may well contain bugs that public releases don’t, it’s unlikely criminal hackers will be focused on finding and exploiting those simply because the user base is too small to provide a good return on their investment of time.
In short, my attitude to browsers and the internet in general post-Snowden is to assume that everything I do online is transparent to someone. But I also assume that 99% of the time that someone is a different someone from one time (or even one url request) to another, and with neither the time nor interest to care what I’m doing. I take is as an intrinsic and unavoidable risk that if a powerful someone (like a nation-state spy agency) wanted to know what I was doing online, there’s little I could do to stop them. At the same time, I try to minimise my exposure to being exploited by significantly less-powerful but nonethelss dangerous criminal gangs or hackers. In that regard, I don’t see any reason at the moment to think Opera is less safe than any other browser.
Hi Phil – Piggybacking on this same thread regarding browsers, would appreciate your thoughts on matured browser sandboxing (or lack there of) in the various browsers.
==>> Background, as I understand it:
(A) Browser sandboxing (i.e., separate spawned child process) for (1) separate process for UI and for web page content, (2) sandboxing multiple open tabs, and, especially (3) sandboxing add-ons (of which I usually limit to just 3) into separate child processes.
(B) From my reading, (1) Chrome sandboxing has been a mature feature for a number or years, (2) it appears that Microsoft Edge might be well along on with that feature (I use Mac only; Windows itself still has too many other issues for me), (3) Firefox is just now beginning to roll out its Electrolysis E10s for splitting UI and Content into separate process, with hopes (maybe a bit too ambitious) for sandboxing certain white-listed add-ons by EOY 2016, with multiple tab sandboxing by mid-2017 (again, maybe too ambitious), (4) but with Opera and Vivaldi it seems at best that you have to geek-force Chromium itself as predecessor to implement Opera or Vivaldi builds that have any sort of sandboxing (too much headache and time for me, and unsure what I would end up after learning curve and all the work).
==> Your further input:
(C) With your current preference for Opera (and Vivaldi prior to that), is sandboxing *not* so important to you (or maybe you bootleg it from Chromium into Opera)? If so, why not? Maybe I am missing something, but sandboxing as I understand it is a very important browser security feature … one that I am just learning about.
(D) Based purely on matured sandboxing features, Chrome seems to be the only option for me, but just can’t seem to go there. Would like to hold out for the un-guaranteed and still distant Firefox sandbox project but that currently offers only its initial level of sandboxing which is still in early rollout. Then too, I could stick with Opera and/or Vivaldi, but I have ‘lack of sandboxing’ reservations about them. Obviously each individual has to make his/her own decision. And as you have already mentioned, browser decision is based, in part, on how one uses the browser(s).
Would appreciate your thoughts [ based on your already stated (in this thread) use and approach to browsing ], and subject of course to your level of interest, and availability.
Thanks,
Steve
Interesting question. My understanding is that Safari, Vivaldi and Opera all sandbox pages and/or tabs that pages are in, while the parent app itself isn’t sandboxed, but doesn’t need to be, since the app’s runtime shouldn’t be vulnerable to a child process that’s spawned and isolated in a sandbox of its own.
You can see this if you take a look at what’s going on in Activity Monitor. With Vivaldi, each ‘helper app’ is a separate tab (Opera shows the same thing) and is sandboxed:
You can see a similar thing in Safari, where each page gets its own process and identifier:
That said, I’m no expert in this area, so if you or anyone else has got a deeper understanding feel free to share!
EDIT: Incidentally, Safari seems to be much more efficient at this than Vivaldi or Opera, whose child processess seem to burn up a fair bit more CPU time than Safari’s do.
Thanks for the tip! I had never noticed Activity Monitor’s ‘sandbox’ Viewable Column. I take it at face value (knowing that sandboxing spawns multiple processes) and feel much better about Opera and Vivaldi. I’ll just have to assume that the sandboxes are sufficiently comprehensive. As a safety net, I still do one-at-a-time logins using single tab: then close browser, clear it out, and re-open browser for next login. What was interesting to me is that (as far I could tell) Opera and Vivaldi sites do not point out the ‘sandbox’ security feature(s) as do, as I recall, the major browsers [ confirmed by the fact that search efforts for the minor browsers did not yield any meaningful sandbox-related results … the only thing I found was at Opera or Vivaldi forums and seeing user comments on one of them, about the user-side ‘bootlegging’ idea that I earlier commented on ]. Even Mozilla’s Firefox Wikipedia entry gives considerable space to its full-featured progression in this area. But then they are playing catchup just to survive. Hope it’s not too late.
Fascinating. Even more so because I’ve never had Chrome or any other Google product on this machine that I recall. Emma’s shortcut seems to work however — many thanks! (OS X 10.6.8 and regretting ever connecting to the internet)
I found an easy way to totally remove this thing hidden in the comments inside the ksinstall file- for me it was in the /Library/ directory, and the command
sudo /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/Resources/ksinstall –nuke
left only the (now empty) /Library/Google directory behind! It appears this ability to remove itself actually is built in, just was hard to find. Hope this helps! 🙂
Hello everyone, in the latest version of GoogleSoftwareUpdate.bundle (as of today) there is no install.py file anymore. Running 10.9.5. Thanks for the tip though.
Hi Mate,
The install.py will have been replaced by a file called ksinstall. Just run
./ksinstall --uninstalland you should be golden.
Cheers.
That should be a double hyphen before uninstall by the way, I think the formatting compressed it.
Fixed that! Thanks for the info, Nic.
Love it! I suppose you could go through and delete all items one by one (which I did, and for all I know, some of them will come back next time I restart), but either way, it’s fun to play with Terminal and wipe out the bad guys. Bang bang, budda-budda-budda, kablooie!! Gotcha!
More fun than a video game. Thank you!
24 hours of running fans were killing me. I followed the 3 steps to nuke and I´m enjoying the silence. Thank you very much!
I’m a computer dummy and found the instructions on how to nuke Google hard to understand, however, I will try. I just need to clean my Mac professionally probably as I have trouble all the time. How do I protect myself when the only provider I am allowed is a local company where a neighbor works who does not like me? HENCE, the problems I have all the time with this Mac?
Although the security implications of not updating Google apps in a timely manner is probably minimal, there is one component that can cause major security issues if it’s not kept up-to-date and that’s the so called “Pepper” Flash Player built into Google Chrome. Coincidently there is at least a proof-of-concept threat in circulation that required an emergency update to it as well as Apple’s XProtect system this week. I wish there was a way that Google would keep that updated without having to accept auto-updating for all Google apps.