The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


Genieo adware downloaded through fake Flash updates

Posted on May 21st, 2013 at 9:41 PM EDT

warning

For at least a couple months now, I have been hearing a lot of reports of fake Flash update notices appearing on a variety of different web sites, and resulting in the download of a Genieo installer. It has been difficult to track down a source, so that I could see this in action, but I finally found one. Although I still don’t believe that Genieo is actually malware, there is definitely some monkey business going on.

First, let’s take a look at what Genieo is. Genieo is adware that will change your web browser’s home page to display a personalized page, gathering information that it thinks you would be interested in. Because this software is free, the old adage about free products applies: “If you aren’t paying for a product, you are the product.” Genieo pays for itself by selling and displaying personalized “advertorials,” which are just ads disguised as stories.

If this sort of thing is desirable to you, and you’re okay with allowing Genieo to monitor your online activities so that they can personalize this information for you, then I have no argument with that. Many other companies are doing similar things every day, and are being much sneakier about it. Genieo is fairly up front about what they do, though of course they apply the expected marketing slant to it to make it sound less threatening. Further, they’re an identifiable entity, with a registered web site and published contact information, including phone number and postal address as well as e-mail.

Genieo fake Flash 1So, the question is, what’s up with these surreptitious Genieo downloads? That’s a question I’ve been trying to answer for two months, with little success until now. The fake Flash alert seems to be coming up on a variety of different ad-driven sites, but I’ve never managed to hit the right ad to trigger the issue. Thanks to a poster on the Apple Support Communities, however, I found a URL opened in a new tab by one of these ads. When visiting that URL, I was immediately told (through a JavaScript alert) that I needed to download Flash Player.

Clicking OK (the only option, apart from force-quitting the web browser) results in loading a page that looks like this:

Genieo fake Flash 2

 

Clicking either “button” will result in downloading a file named InstallGenieo.dmg. This file contains a Genieo installer app that looks exactly like the one downloaded directly from Genieo’s web site.

So, what is different about this installer, and who is benefitting from this? The answer seems to be tied up in the Genieo Partners Program, which – if I’m understanding the language correctly – would seem to compensate partners for promoting Genieo. Examination of the code shows that the “malicious” Genieo installer grabs a value from a property list file in the installer package, then contacts analytics.genieo.com, passing that value (which I’m guessing is a partner ID) in the URL.

Genieo partner code

 

The “real” Genieo installer does not do the same thing. [Edit: Was looking at the wrong bit of code.]

Inside the “malicious” InstallGenieo package, the value being pulled from the genieo.installer.plist file is clearly readable:

<key>HKEY_CURRENT_USER\Software\Genieo\Components\Partner\active_partner</key>
<string>genTugM</string>

In the “real” Genieo installer (i.e., the one downloaded directly from the Genieo web site), this value is set to “genieo” instead of the “genTugM” value seen above.

What I’m guessing from all this is that one of Genieo’s registered “partners” is pulling this stunt in order to generate more revenue, by getting Genieo to pay them for installations they are tricking people into performing. This is obviously dishonest, and hopefully Genieo will shut this partner down and put an end to the scam.

As scams go, this one’s pretty lame. There’s very little attempting to convince the user that the download is actually a Flash Player installer, which will raise most people’s suspicions immediately. Still, there are always people out there who are willing to install anything, no matter what the source… and perhaps such “low hanging fruit” is exactly what the people behind this scheme are trying to pick.

Post to Twitter

Tags: , , , ,


21 Comments

  • Someone says:

    I’ve seen another Flash Player thing, called “Flash Player Pro.” I was on a public computer (at a library) when this “Flash Player Pro” page popped up. I closed it, because it looked like a scam, but could someone explain whether there is such a thing as Flash Player Pro?

    • Al Varnell says:

      There is not. If you see it again let us know where.

      Nor is there a Flash Player HD, which I’ve seen elsewhere and this popup hints at.

      • Someone says:

        I guessed as much. I found it on some dodgy-looking website, “Project Free TV” or something. My friend suggested it to me. She’s not very computer-savvy so I’m guessing she had no idea that it was hosting scam Flash Player ads. Anyway, I was looking at this site and the Flash Player Pro popped up. It had the Adobe logo and all – kinda like Flashback did.

      • bruce says:

        Hi …
        Just was doing a little research myself about this Genieo window that popped up that look like a “flash player download” and noticed that you said if someone received the “Flash Player HD” pop-up , to let you know …
        well, I received it …. and this was the address for it ….. http://www.yasni.com/ad_pop.?popup=us2&bw=

        • Someone says:

          Not necessarily a good idea to post links to popups etc, however, apparently Thomas is okay with it as he didn’t comment it out.

          • Thomas says:

            Depends on what it is. In this case, I opted to leave it since it will only affect you if you opt to install what it downloads, and because it may help others who are also trying to research the Genieo issue.

          • Someone says:

            Yes, I understand. I guess though that in some cases, like with drive-by downloads, obviously it isn’t a smart idea to post links! :)

  • Derek Currie says:

    I’ve done some superficial work studying the marketing scams concocted by ZeoBIT to foist their MacKeeper software on the public. The Genieo scam is of the same ilk. If asked, Genieo would likely state that this scam method is outside their control and breaks their marketing policies. I’ve heard that explanation from ZeoBIT, which turned out in their case to be a verified total lie. There are what I have to call pathological marketing scammers here on Earth, and they can be brilliant at looking and sounding ‘professional’ while actually being the exact opposite. Some call these people ‘sociopaths’.

    In this case, it comes down to following two basic rules of computer security:

    1) Only download software from a verified, reliable source. There are some reputable software update sites, like VersionTracker.com (aka CNET), MacUpdate.com and of course Apple’s Mac App Store. Ideally, go directly to the developer’s actual website to download their software. Downloading Flash Player (or whatever faked rendition of that name is used) directly from Adobe.com solves the problem. You get the real thing, with no adware or malware tagging along.

    2) Never install software you have not verified to be safe. In this case we get the unexpected Genieo installer, named as such, dumped onto your computer. That’s not what we asked for, therefore IMMEDIATELY trash it and empty the trash. Get rid of it so no one else who uses our computers mistakenly installs it either.

    I call this ‘The Marketing Era’ in the First World. It pervades just about everything, and almost all of it has some level of maliciousness. It is currently extremely rare to find actual Marketing Mavens, as I call them, who want to seriously assist the customer and treat them with respect. Just the opposite is the norm. Therefore, by default, I consider it wise to treat all marketing directed at us as malicious on some level. It’s a useful attitude tool to keep us on our toes when dealing with either business or what I sarcastically call “biznizz”.

  • TJ says:

    How you discover that you downloaded this Genieo adware and second how do you remove it. I am new on Mac and indeed recently installed a Flesh player update.

    Thanks

    • Someone says:

      I’m guessing, since you say you are “new on Mac,” you just bought a Mac, which doesn’t have Flash on it by default. You may have actually downloaded the legitimate Flash Player. You can determine whether you have installed the real Flash or a fake quite easily. Go into System Preferences. If you have Flash, the Flash icon (a red square-ish thing with a white f) will be at the bottom. If not, you’ve downloaded a fake.

      This test won’t work if you purposefully downloaded Flash before installing this “update.” If you were able to watch YouTube videos before installing the update, chances are you already installed Flash. If this is the case, try to think back to when you installed the update. Did a red box with a white f on it pop up in your dock? Or did it just appear while you were surfing the web? If it just appeared, it’s a fake, but if the red box icon appeared on your dock, it was a real update.

      Hope this helps!

    • Al Varnell says:

      You would know if you found a file called InstallGenieo.dmg in your download folder. If you didn’t find it and didn’t open the file and didn’t click on the “Genieo” icon, then it’s not installed. If you did then you will find an Uninstall Genieo app in your Applications folder.

      • Someone says:

        That works, too. I’m just really good at figuring out the most complex way to figure something out :)

  • Genieo Team says:

    Can you please let us know what did you download and from where so that we can trace it from this end?
    We are sorry to hear that you want to uninstall Genieo.
    Genieo is a personalized newspaper – style home page. It has the power of bringing you the news you want, from your favorite sources and offers many unique features that can enrich your browsing experience and keep you up to date with interesting articles and item in your topics of interest.
    Genieo is 100% free, it’s totally private and requires zero managements.
    Should you decide to remove, please visit our FAQ page http://www.genieo.com/faq#uninstall
    And simply follow the instructions.
    Once you are done, you can go to your browser settings and change the default homepage and search to match your decision.

    Chrome: http://support.google.com/chrome/bin/answer.py?hl=en&answer=95421&topic=1735105&ctx=topic
    IE: http://support.microsoft.com/kb/252464
    FF: http://www.wikihow.com/Change-your-Start-Page-on-Mozilla-Firefox
    Safari: http://browsers.about.com/od/safar1/ss/safarihomepage_3.htm

    • Judi says:

      Genieo Team, I tried to uninstall but it asks for a password which I never provided upon installing the app from Project Free TV. What is the password?

  • Moustapha Ahmed says:

    how could i uninstall this fake application

    • Thomas says:

      That’s a difficult question to answer, as it seems that different versions of this software (made for different “partners”) may install different things. When I tested with one particular version, running the “Uninstall Genieo” app, found in the Applications folder if you have installed Genieo, removed everything. Trusting Genieo to remove itself is a difficult thing to tell people to do, though.

  • Judi says:

    I was duped into installing Genieo from the Project Free TV website. Now Genieo is installed and I cannot uninstall it. Even though there is an application to “uninstall” when I open it, it asks for a password, which I never provided! Can you help?

    • Someone says:

      When it asks you for a password, is it the OSX standard password box or is it one that looks nonstandard?

This post is more than 90 days old and has been locked. No further comments are allowed.

This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.