OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Genieo adware proliferating

Published June 7th, 2015 at 9:00 AM EST , modified June 7th, 2015 at 9:00 AM EST

In recent months, several new variants of the Genieo adware have crossed my path. This adware is still pulling many of the same tricks – changing the search engine to Bing, and installing all kinds of junk that runs in the background and modifies browser behavior. However, it’s now using a variety of different names, perhaps in an attempt to make detection more difficult.

Until recently, variants of Genieo have only gone by two different names: Genieo and InstallMac. In the last few months, however, I’ve come across a number of new variants under new names: GoldenBoy, Texiday, and now Listchack.

Genieo Listchack variantIn all these cases, a Safari extension by that name has been installed. In addition, these variants will install files in the user’s LaunchAgents folder having names and contents following predictable patterns. (LaunchAgents are used to keep processes running invisibly in the background at all times, even after restarting, or to run processes invisibly on a periodic basis.)

Some may question how I am able to connect these new names with Genieo. There are several ways. First, all of these variants include a Safari extension containing code that is identical in places to the older code found in Genieo’s Omnibar extension. All include the same three LaunchAgents, with minor changes to their names and content, that have been in use by Genieo and InstallMac for some time. And all seem to install the Genieo “Reset Search” app, a supposed uninstaller that has never done the job properly.

Genieo Listchack installerThese Genieo variants are being installed through highly deceptive installers. In the case of the latest (Listchack), for example, the installer is downloaded from a site supposedly offering a download of the popular open-source VLC video player. The resulting download, however, is a disk image file called MPlayer.dmg, named for a different (and not legit) video player. Upon running the Installer app found on that disk image, the installer claims to be installing yet another player: Fast Player, one that I’ve never even heard of. And not a single one of these video players actually ends up being installed!

Avoiding these deceptive Genieo installers, and all other such adware installers, is fortunately quite easy: simply exercise care with what you download online. Only download from the developer’s site, and never download from other sites, especially “download aggregation” sites like Download.com and Softonic (which are both known to inject their own adware in many of their downloads). For more information on how to protect yourself from this kind of thing, see my Mac Malware Guide.

If you think you may have installed one of these new Genieo variants, you can remove it using my AdwareMedic app.

Tags: ,

31 Comments

  • Canvas fingerprinting ? says:

    Just a notice (despite if you place this or not)

    My browser is warning me for the fact that thesafemac is (probably) using Canvas fingerprinting!
    https://en.wikipedia.org/wiki/Canvas_fingerprinting

    Although this is a legitimate technique it’s in a way to spying on users too.
    And we do not like spying, do we?
    Cookies can be deleted, the combination of device hardware profile/browser profile is actually not easy to be changed and quite a questionable form of user tracking.

    Is this collecting of user profiles really necessary and needed?
    It reminded me of the built in complete Mac profile feedback report that could be sendet back in the first versions of your adware program. An anti-privacy option that you removed later on.

    Please consider using other methods of tracking users, at least warn them or give them an option to choose to accept this.
    That would be a bit more ethical behavior in the context of this site ; privacy is an important part of security.

    By the wayy, how well is your collection of userdata protected against people that try to get those data? The more you posses and collect the more you have to protect.

    Just some friendly ment feedback from a reader Thomas

    • Thomas says:

      I don’t do any tracking whatsoever of users on this site, regardless of technique. I don’t even require people to register in order to post comments. So, whatever is alerting you to this is either erroneous or it’s picking up something that is being injected into the page by a third-party. The latter would typically be due to adware.

      • Thomas says:

        Turns out that Tor Browser is triggering on the new emoji support code that was added in WordPress 4.2. I don’t use this, so I have disabled it. However, as you can see, this “feature” of Tor Browser is more than a bit flawed, since it will trigger on any WordPress site that 1) has updated to 4.2 or later, as should be done for security reasons, and 2) has not done anything to disable this emoji support code.

        For WordPress site owners who don’t want Tor falsely accusing your site of wrongdoing, add the following lines to your functions.php file:

        remove_action( ‘wp_head’, ‘print_emoji_detection_script’, 7 );
        remove_action( ‘wp_print_styles’, ‘print_emoji_styles’ );

        • JMM says:

          Thanks, looks like I was wrong with my assumption then… Also, thank you for the tip with the functions for WordPress.

      • JMM says:

        Not having any inside knowledge, it might be related to the paypal donate button as well, although I think Adware is the most likely option.

        @Canvas fingerprinting ?: you should do a Scan with Thomas’ Adware Medic app. If it is coming back clean, I would try deactivating other plugins. If it still shows, try other pages using the Paypal API for donation to see if that might be the one.

  • Ofelia says:

    24 hours, no Genieo reps? Looks like they’ve learned their lesson… maybe…
    In other news, thank you Thomas for the helpful info as always.

  • Anonymous says:

    I wonder where and how you got the impression that MPlayer is not legit (or maybe I misinterpreted the sentence “…MPlayer.dmg, named for a different (and not legit) video player”).

      • Anonymous says:

        MPlayerX as far as I know is by no means associated to the MPlayer project, whose home page is here https://www.mplayerhq.hu/. It is a highly renowned FOSS project started around the same time as FFmpeg, and it is older than VLC.

        Personally I used MPlayer for a long time, mplayer2 (a now abandoned MPlayer fork) for about half a year, and later switched to mpv (an MPlayer and mplayer2 fork) and have been using it since then for about two years. These projects are all distributed in source form and there is simply no room for adware. Whatever nasty things downstream packagers do shouldn’t be attributed to the upstream.

        I believe I also used MPlayerX for a brief period of time a few years ago and didn’t recall any adware offers (I’m usually very sensitive to this kind of stuff). I think “This is not particularly new, and has been described here before, although never with an installer downloaded directly from the MPlayerX site” in your article confirms my impression. Maybe things changed; or maybe the website was hacked. Not sure. In any case, the MPlayer projet shouldn’t take the blame.

        • Jim says:

          Hi Anonymous,

          This is not a case of the MPlayerX website being in anyway hacked, The publishers of this media player have planned this in advance.

          The MPlayerX publishers really do have to take the blame and accept full responsibility for their despicable behavior.

          I also must inform you that the blog for the MPlayerX on their website(http://blog.mplayerx.org/)
          very clearly states that:
          “The other thing is that, MPlayerX will start to utilize the installer to fulfill monetization.”

          It is blatantly clear this is a deliberate decision by them to put this type of Adware/Malware into their products installer, They even went so far as to obfuscate the coding and took additional measures to ensure this stuff would NOT be detected when installed in any virtual machine environment.

          They have also stated on that blog that:
          “I knew it may bring many negative comments”
          So it also clear they are also preparing for the inevitable Mac user backlash they will have to deal with.

          • Aaron says:

            Huh i just installed Adware Medic and erased the Adware/Malaware is was really easy BUT i did it immediately MPlayerX only affected my Minecraft when i cleared it 😛

          • Anonymous says:

            Doesn’t matter, I don’t care. The point is MPlayerX is not MPlayer, and is not associated to MPlayer.

  • Matthew says:

    You say that these latest variants install a Safari extension… Doesn’t that require user interaction (are you sure you want to install the extension “___?”)? So are they just relying on people blindly allowing the extension to be installed, or have they found a way to circumvent that prompt?

    • Thomas says:

      Adware installers routinely install Safari extensions without any such warning. It simply involves putting the extension in Safari’s Extensions folder and modifying the Extensions.plist file, which can be done without any warning and without needing an admin password. All that would be required to activate it at that point would be to re-launch Safari, and it will be as if the extension was installed all along.

  • Leif Ostlund says:

    Genieo

    ((((((( Genius ))))))) …… thank you so much Thomas . I search for several hours in frustration until happily I came upon your site and ” Adwaremedic ” It solved the problem in short order . I sent along a small handful of cash , hope it helps .

    Leif Ostlund

  • Doug says:

    I have the listchack because I’m stupid and wanted to watch parks and rec finale a little too bad. I’m on an old osx and need to upgrade to get the app. Will it successfully get rid of listchack?

    • Thomas says:

      It should, but note that I don’t recommend upgrading Mac OS X just to run AdwareMedic. It is generally a good idea to upgrade from 10.6 to a newer system when possible, but that should be rushed. Mac OS X 10.6.8 was the last system to be able to run PowerPC apps. You’re probably going to need to also upgrade or replace some third-party apps that you depend on, and that could include things like drivers for printers or other hardware. Upgrading without adequate preparation could leave you in a bad place!

      There are always the manual removal instructions from my Adware Removal Guide instead.

      • Doug says:

        You are the greatest. All adware gone, even the ones I didn’t know. What’s bundlelore? Thanks man I’ll donate some money you’re the best!

        • Thomas says:

          Bundlore is just one of many adware threats out there right now. It may be one of the most slippery, with countless different variants having a wide variety of forms.

  • Colleen Thompson says:

    Does Adware Medic recognize a new Genieo variant called Inkeepr? See https://discussions.apple.com/thread/7069320?start=0&tstart=0

    • Thomas says:

      It should – it detects a number of other recent Genieo variants, such as GoldenBoy, Texiday, Listchack, and others. I have yet to confirm detection of InKeepr, however. If anyone finds that AdwareMedic doesn’t remove that, please don’t hesitate to contact me!

  • Doug J says:

    Please help with removing the Trovi adware from my MAC running 10.10 using Google. This is becoming a nightmare!

  • Abdul Akar says:

    i have this on my mac. whenever i search something on google and then click a result it goes to listchack and then bing. how could i remove this?

  • Gina says:

    Thank you Thomas. I used your adware medic sucessfully to eliminate the tidal wave of pop up ads i was getting, presumably via the Java I foolishly allowed my son to download for the purposes of running games such as Goat Simulator (lesson learned).
    But it apparently didn’t get rid of all the celipsow remnants. I was wondering how my search engine got switched over to BING. I just noticed that the Bing search address window starts with celipsow.bing or celipsow.google. I’ll run the adware app again to see if that eliminates it and reset my browser settings. Anything else I need to look for or should that do it>
    PS. We love you. Sending donation!!!

  • Carlie says:

    Hi Thomas,

    Question for you. I am a Mac user and was recently scammed by adware/malware. My son was using the computer. A soon as he opened chrome an ad popped up sating we had a trojan virus and requested we call a number. I called the number (everything seemed really legit) and gave access to the computer through GoTo Assist. The “tech” was jumping around and pointed out my serial number, asked me to write it down then continued to show me my firewall settings and some other things. I got an uneasy feeling after about 5 minutes and disconnected the call. I just ran Adwaremedic and removed Genio software. My questions are, (1) what is the potential threat of allowing this “tech” to have access to file information, including serial number? (2) Should I install software protection like McAfee (or is there a better software you would recommend)? (3) does installing the software protect all User profiles automatically? I appreciate your feedback. We aren’t having any problems with the computer OS yet, but I’m certainly concerned. Thanks so much for your advise.

    -Carlie

This post is more than 90 days old and has been locked. No further comments are allowed.