OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Genieo changing its name?

Published June 19th, 2015 at 9:19 AM EDT , modified June 19th, 2015 at 9:19 AM EDT

Earlier this month, I wrote about how new variants of the Genieo adware are proliferating. Now, however, it looks like Genieo may be changing its name. A new site, for an app called InKeepr, appears to be poised to take Genieo’s place, perhaps because of all the negative name recognition now associated with the Genieo name.

Genieo maintenanceThe old site, at genieo[dot]com, currently shows nothing but a notice that it is “temporarily down for maintenance.” According to the Internet Archive Wayback Machine, this seems to have happened sometime between May 13 and May 24.

The new domain, inkeepr[dot]com, was first registered in February of this year. It’s unknown, however, when it first went live, as the Wayback Machine did not yet have that page archived. My unsubstantiated guess would be that it must have happened around the same time, although I have no proof of that.

InKeepr contactSome readers may be wondering right about now why I’m connecting InKeepr with Genieo… well, the simplest explanation comes from the contact info from the InKeepr website. This page clearly identifies the head office as belonging to Genieo Innovation Ltd, the Israeli company behind the Genieo adware.

Further evidence comes from downloading the InKeepr software from the InKeepr site. This software behaves almost identically to Genieo. It uses the same three LaunchAgent files to keep a process (now named AppDS, not much better than the old “Application” process) running. It installs an InKeepr app that is very similar to the old Genieo and InstallMac apps. It installs the same Reset Search application. InKeepr newsEven the “news” pop-up in the Finder looks very similar to the pop-up displayed by the older Genieo adware.

I can only guess that this name change is intended as a way of avoiding the negative name recognition now associated with the Genieo and InstallMac brands. Clearly, Genieo Innovation doesn’t intend to just roll over and give up, and is still trying to find ways of infecting people with its adware.

I have yet to see InKeepr in the wild, obtained from somewhere other than the InKeepr site. I have seen reports that it is included in a download available on Sourceforge (which has recently been guilty of wrapping other people’s software in adware installers), but I don’t know which download that might be. In any case, if you run an installer and see mention of InKeepr, force-quit the installer immediately and throw it in the trash!

Fortunately, AdwareMedic already detected most of the components of InKeepr, and I have added detection of the rest this morning. If you have been infected with InKeepr, or any of the other recent variants of Genieo, AdwareMedic should remove it for you.

Tags: , ,

28 Comments

  • Matthew says:

    I’ve seen InKeepr heavily advertised using various sites that use AdSense… you know, the typical deceptive practice of putting a big green “Free Download!” button with no explanation of what it does. It just says “InKeepr” and takes people to inkeepr.com as you mentioned.

  • Lammeling says:

    I’m sure youn will adapt this change in your AdwareMedic, but……what with people still running SL and use Adware Removal Tool….

  • Lammeling says:

    OK! That is a good solution too. But is the name of Genieo in this operation chaged then into anoter name?

  • Bruce says:

    Once again we need to thank you for AdwareMedic and your efforts to keep us safe. Thank you.

  • Michael Bai says:

    Thank you so much AdwareMedic!

  • BHanna says:

    I’m not sure if I had Genieo or some other variant, but had limited success with AdwareMedic. I downloaded AdwareMedic and it found some files from “listshack” or something like that and I removed them, but didn’t solve the problem entirely. Restarted my computer and ran the software several times to no avail.

    I’m running OS X Yosemite 10.10.3. The last paragraph from this support post regarding manual removal seems to have done the trick: https://support.apple.com/en-us/HT203987

    Thanks for your software, just wanted you to be on top of the latest iterations of this thing.

    • Thomas says:

      I’m not sure which paragraph you’re referring to, but I’m guessing that you probably needed to change the home page and/or search engine settings in your web browser. AdwareMedic doesn’t do that for you.

  • mach672 says:

    I downloaded AdwareMedic a while ago. How do I update it? Thank you very much.

  • james says:

    Do you by chance know of one for offer.alibaba? been searching the web and everyone’s calling it an actual virus rather than adware, but just wondering.

    • Thomas says:

      That may or may not be related to adware. Try AdwareMedic, and if that doesn’t work, see:

      http://www.adwaremedic.com/kb/unsolved.php

      • james says:

        Always go with AdwareMedic first. It didn’t find anything. I removed all 3rd party folders that I wasn’t sure of from ~/Library/Application support and /Library/Application Support. Cleared launch agents,daemons, saved app states. removed 3rd party extensions, including Flash Player. Cleared the ~/library/safari folder. removed 3rd party apps. cleared developer caches. still can’t figure it out. gonna try an antivirus software.

        • james says:

          it was indeed a virus. glad to know.

          • Thomas says:

            What makes you say it was a virus? It’s actually extremely unlikely that you would have been infected by actual malware. What did the anti-virus software find?

          • james says:

            Heuristics.Phishing.Email.SpoofedDomain found by ClamXav

          • Thomas says:

            That’s not actually malware. That’s a potential phishing e-mail, but could also be a false positive. Even if it were a real phishing e-mail, it wouldn’t affect your Mac in any way… it would just be an attempt to get you to click a bad link and then provide some kind of personal information (probably an account password) on a phishing site.

            Hopefully you didn’t allow ClamXav to remove it! If you did, that may have screwed up your mailboxes. See:

            How to remove infected files

          • james says:

            I don’t believe its an actual phishing email, because the redirects are exactly what’s going on. I haven’t had time to deal with it today, but what happens: when you click on a link, a second safari window pops up with offers.alibaba or ali.express.

          • Thomas says:

            That item ClamXav detected, whether it was actually a phishing e-mail or not, is definitely not the cause of that problem. See the link I gave you previously:

            http://www.adwaremedic.com/kb/unsolved.php

            My guess would be that this might be caused by a hacked network, as mentioned near the bottom of that page.

    • james says:

      Yep, you were right. ISP confirmed Hacked network

  • mach672 says:

    I clicked the update button on Adware Medic and saw, “AdwareMedic.dmg” Is the dmg extension correct? Just making sure this is indeed yours. Thanks much, Thomas.

    • Thomas says:

      That sounds like the original download. The auto-update mechanism shouldn’t leave any files behind, it will all be very transparent.

  • Tim says:

    ClamXav is now a paid commercial app. Free version no longer available. $29.95 according to Mark’s updated website.

    • Al Varnell says:

      True, but it was previously “donation-ware” and not truly free. Anybody that previously donated (which apparently most users did) can get a free update by providing proof of donation (normally name and e-mail address). And there is currently a limited time “Launch Promo” in effect for everybody else at 25% off or 22.46 USD.

This post is more than 90 days old and has been locked. No further comments are allowed.