Remove ReceiverHelper Apple malware - BITadvisors (2024)

This article provides a hands-on summary and a workaround for the issue where macOS flags the ReceiverHelper app as harmful and prevents it from running.

As Apple is trying to tighten its grip on malware, some legitimate applications are on the receiving end of collateral damage. Over the past two years, there have been several surges of Mac alerts labeling trusted software as potentially harmful. A handful of HP and Cisco products are a few examples. However, this overprotection puzzle is incomplete without a piece relating to ReceiverHelper. The popularity of this workspace virtualization tool by a company called Citrix skyrocketed during mass transition to remote work, which is still underway amid the healthcare emergency. Its primary audience is the corporate sector that’s using the solution to ensure smooth teleworking procedures. Recently, though, numerous customers bumped into a problem: Macs started displaying popup warnings that say, “ReceiverHelper will damage your computer”.

Although this activity has been in a relatively idle state for more than a year, it reached new heights with an outbreak that took root in late August 2021. Numerous users are now at their wit’s end trying to open the software, with the popup warnings also reporting several other Citrix utilities as malware. These include ServiceRecords and AuthManager_Mac. The alerts mostly state, “This file was downloaded on an unknown date” and suggest viewing the allegedly unsafe object in Finder. Having clicked this button, users see that the location is /usr/local/libexec/. That’s a strange place for a reputable software suite to be, but anyway, it’s not an oddity serious enough to call it malicious.

The reason for “ReceiverHelper will damage your computer” Mac alerts is prosaic. As opposed to the above-mentioned HP and Cisco stories that boiled down to code signing issues over modified or revoked digital certificates, this one is caused by a bad choice of a certificate authority (CA) on Citrix’ end. The company uses Symantec CA, which has dealt with a fair portion of security concerns since 2018. The recent update of the macOS XProtect and Gatekeeper features appears to have intensified Apple’s efforts to tidy up its third-party code ecosystem. This resulted in a straightforwardly antagonistic response to any product that leverages certs issued by Symantec. That’s the most likely undercurrent of this situation.

There is a less plausible cause, though. It’s common knowledge that different strains of Mac malware often portray themselves as trusted applications. They do it to game the system’s defenses and slip under the radar. Chances are that some shady programs pose as ReceiverHelper, ServiceRecords, or AuthManager_Mac to evade detection. In this case, the algorithms built into the native macOS security modules may identify the trick and alert the user to peril.

With that said, the way to address the problem depends on what triggered it in the first place. If you are using a genuine Citrix product and it’s being detected as a threat, be sure to contact the provider for troubleshooting instructions. Perhaps a garden-variety update will sort things out. On the other hand, if you are clueless about the presence of this virtualization solution on your Mac and suspect malware interference, it’s high time you checked your system for apps that don’t belong there.

Remove ReceiverHelper popup malware from Mac manually

First things first, every infection instance boils down to a specific rogue app underlying it. Therefore, the starting point of the fix is to find and delete the malicious program that’s causing your Mac computer to act up. This could be easier said than done, though – some viruses are sneaky and don’t leave an obvious system footprint in an attempt to avoid detection.

The steps below will walk you through the best practices of spotting and removing ReceiverHelper popup malware from your Mac.

1. In the Finder’s Go pull-down menu, click Utilities
2. Select Activity Monitor
3. Take a look at the running processes and try to identify the malicious one. Its name isn’t likely to have anything in common with ReceiverHelper popup malware, therefore you should focus on resource-intensive entries that look unfamiliar and way out of place.
4. Once you spot the suspect, select it and click Stop in the upper left of the Activity Monitor screen. Follow on-screen prompts to force quit the unwanted item. Note that you may have to enter your admin password to do it
5. Reopen the Go menu and click Go to Folder
6. Enter the following string in the search box: /Library/LaunchAgents. Click the Go button as shown below
7. Check the folder for potentially unwanted items. As is the case with malicious executables, the names of sketchy LaunchAgents may suggest no connection with Mac threats. As a general rule, look for recently created objects you don’t recognize. Send the baddies to the Trash if found
8. Now you’ll need to complete the same procedure for the following directories: ~/Library/LaunchAgents, ~/Library/Application Support, and /Library/LaunchDaemons. Go to these paths in turn (see Step 6 above), inspect their contents for dubious items and folders, and eliminate them.
9. Use the Go menu in your Finder again and click Applications
10. Scrutinize the list of installed apps to try and locate the malicious one. This could also be a shot in the dark because the culprit isn’t going to be named ReceiverHelper popup malware or similar. Your goal is to spot a recently added fishy-looking program you didn’t wittingly install. Send it to the Trash immediately
11. Click the Apple menu icon and pick System Preferences. You can as well click the gear symbol in the Dock if it’s there
12. Head to Users & Groups and click Login Items. Click the padlock icon at the bottom left to enable changes – this will require your admin password. Find the app that shouldn’t be started automatically at boot time, select it, and click the ‘minus’ symbol
13. When on the System Preferences screen, select Profiles. In most cases, the list will show up blank unless it’s a company-issued Mac and your employer has added a configuration profile to manage specific areas of the system. Anyway, if you see a profile that shouldn’t be there (e.g. AdminPrefs or TechSignalSearch), select it and click the ‘minus’ symbol to eradicate it

So much for the manual removal workflow. Keep in mind that most Mac threats stretch their grip over to web browsers. If this is the case, your online activities will continue to be affected and you’ll need to additionally tackle the browser side of the attack. Here’s how you do it.

ReceiverHelper popup removal in a web browser on Mac

The steps below will help you regain control of the browsing preferences hijacked by ReceiverHelper popup malware. Be advised that you may be logged out of sites and lose your web customizations as a result of this procedure. The silver lining, though, is that the malware won’t be meddling with your online sessions anymore.

Troubleshoot Safari malfunctioning

1. Open Safari, expand the Safari pull-down menu, and pick Preferences
2. Click Advanced and check the ‘Show Develop menu in menu bar’ box
3. You’ll see the Develop menu added at the top of the screen. Click it and select Empty Caches on the list
4. Expand the History entry in the Safari menu and select Clear History
5. It’s best to pick all history in the follow-up screen to obliterate all malicious cookies and website data generated by the malware. Then, click Clear History
6. Return to the Safari Preferences, select the Privacy section, and click the Manage Website Data button
7. Click Remove All on the subsequent screen
8. Finish the procedure by restarting Safari

Restore Google Chrome defaults

1. Open Google Chrome, click the Customize and control Google Chrome (⁝) symbol in the upper right, and choose Settings
2. Click Reset settings
3. The browser will display an extra dialog so that you can familiarize yourself with the logic of the cleanup before proceeding. Go ahead and click the Reset settings button as illustrated below
4. Restart Google Chrome

Fix the problem in Mozilla Firefox

1. Open Firefox, click its menu icon (three horizontal lines), select Help, and click Troubleshooting Information
2. Click Refresh Firefox and confirm the action
3. Restart Mozilla Firefox

Remove ReceiverHelper popup malware using Intego Mac Premium Bundle X9

Spotting files dropped by Mac threats can be a wild guess and takes a lot of time if you do it manually. It is much easier and more effective to use a security tool that automates the cumbersome process and quickly delivers the result you need. Intego Mac Premium Bundle X9 leverages time-tested antivirus technology to detect, defang, and remove widespread and emerging Mac viruses. Here is how to get rid of malicious code in several simple steps using this technique:

1. Download and run Mac Premium Bundle X9 installation file. Follow on-screen prompts to finish the setup.

   Download ReceiverHelper popup infection cleaner

   
2. Open the VirusBarrier application from your Launchpad. This is the central module of the software suite’s security kit.
3. Choose the scan type. Keep in mind that Quick Scan only checks a limited range of locations most often parasitized by Mac malware. We recommend you select Full Scan to maximize the detection accuracy.
4. Wait for the tool to examine your computer for unwelcome files, harmful processes, and suspicious configurations. The first full scan might be a bit lengthy, which is normal.
5. The scan report will give you the big picture by listing the detected threats and malware families they represent. These items are automatically moved to the quarantine unless you specify a different action.
6. To make the harmful files vanish without a trace, open the Quarantine tab and click the Repair All button. This will address your malware issue.