The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


Mac adware menace continues

Posted on April 7th, 2014 at 7:05 PM EST

e-biohazard

Over the last couple months, I’ve seen an explosion in reports of adware infections. Just in the last four days, I have seen at least a couple dozen reports of GoPhoto infections alone. The threat of adware, a problem for Windows users for years, appears to be coming into its own on the Mac. Today, I found an adware installer that seems to be the epitome of the adware menace.

This adware was found through a FirstRow Sports site. This is the same site where I found a similar adware installer back in November of last year. On selecting a video stream, I was redirected to a very shady site:

FirstRowSports

The banner at the top of the screen looks real enough, so I clicked on it, as many users would. This resulted in the download of an application, named Mac_installer.app, with a generic Apple installer package icon. The extension, of course, was hidden to make it look more like an installer.

Running the installer brought up a generic license agreement, displayed in a window mimicking the official Apple installer:

Mac_Installer 1

As you can see, this seems to be an installer for something called Gophoto.it, and it also has checkboxes to agree to install Dynamicpricer and Jollywallet. Clicking Continue without making any changes caused a window to appear and disappear quickly (which, it turns out, was a separate included installer for what is being called Dynamicpricer), then the second “page” of the “installer” is shown:

Mac_Installer 2

This time, you’re asked to approve installation of Genieo, and clicking Continue here results in the Genieo installer opening, prompting the user to install Java, etc. The Genieo installation is the least interesting part here, as it is behaving exactly as Genieo has been behaving for some time.

At this point, once installation is done and the “installer” app quits, the test system has been quite thoroughly infected with adware. It had no less than four different adware programs installed, one of which was completely new to me. One of these was Genieo, as mentioned. Two others were Jollywallet and VSearch, aka DownLite, which is being called Dynamicpricer here.

Jollywallet is fairly straightforward. It seems to just consist of a Safari extension, which is easily removed by the user through Safari’s preferences. It even provides an uninstaller… if the user can find it, though that’s unlikely, since the disk image containing the installer and uninstaller is buried in an invisible temporary folder.

VSearch – or DownLite, or Dynamicpricer, or whatever name it seems to go by – installs a number of background processes that are hidden away where the average user isn’t likely to find them, and does not include an easy-to-remove browser extension.

Worst of all was GoPhoto, the adware that had a sudden upswing in infections several days ago. This adware consisted of the usual GoPhoto.it browser extension, installed into all three browsers: Safari, Chrome and Firefox. It is easily removed from both Safari and Chrome, but in Firefox it pulls some additional tricks that make it harder to eradicate.

In Firefox, the extension does something to make it impossible to actually delete it through the Firefox user interface. The user has to seek out and remove a cryptically-named folder, buried away in a hidden Mozilla folder. The user also has to seek out and delete a couple JavaScript preference files, also tucked away in a hidden Firefox folder.

GoPhoto prefs.js changesIt is this last thing that is so concerning. The prefs.js file is part of the user’s profile in Firefox, and the JavaScript code it contains runs when Firefox opens. On my test system, with a fresh Firefox installation, the prefs.js file was a mere 3 Kb. After installing GoPhoto, the file ballooned to 793 Kb, having been stuffed full of 790 Kb worth of “minified” (and thus hard to read) JavaScript code.

What this code does I still have no idea, but you can bet it’s nothing good. It’s tucked away in a place that most users would never even think to look, and will remain there even after the user manages to successfully remove the GoPhoto.it extension.

As usual, these kinds of scams can be easily avoided by exercising caution online. If something seems to good to be true, it probably is. If something is being offered for free when other people pay for it, it’s almost certainly a scam, or worse. This kind of adware is also very commonly encountered when downloading illegal material from torrents or sites like Pirate Bay, so avoid such things not only because they are illegal and unethical, but also because they can harm your computer.

I keep pestering Apple’s product security folks about these things, and have submitted a copy of this adware installer and a description of its behavior to them. Hopefully, they will eventually decide to start blocking adware like this, in the same way they block malware with XProtect.

To remove these things, and other adware, see my Adware Removal Guide.

Tags: , , , ,


28 Comments

  • Jay says:

    Thanks for the good work!

    • Frank says:

      WOW! I think I have literally ‘been saved’ by the info you have provided here. The last few days I have been bug conscious about my MAC.. Somehow I got the ‘FBI” virus, and I am pretty sure I got rid of that. Tonight I noticed that MAC INSTALLER 1.0 somehow appeared among my downloads. I used PREVIEW to look at it, and it all appeared legit. In a way it kind of made sense because a day or so ago I got a notice from Apple (maybe thru Software Update? I don’t remember. . . or maybe it wasn’t Apple at all) to upgrade to Mavericks for free–I now have Snow Leopard 10.6.8 (with which I am quite happy). So, in my rudimentary investigation of MAC INSTALLER 1.0 it kind of seemed that it would be appropriate to do the MAC INSTALLER 1.0 update before the Mavericks upgrade. Fortunately was a bit dubious about it all, figuring that if THE MAC INSTALLER were really needed, I would be getting it at the time as part of my formal Apple Mavericks upgrade, rather than just getting the Installer piecemeal appearing as an unasked for download. Consequently, I began to doubt and then I searched, which led me to you and your website. Because of your info, I have not and will not download the MAC INSTALLER. THANKS. This is a long way to say Thank You, but perhaps the story here will give you some insight as to how this INSTALLER may be getting around.

  • Sally says:

    Instructions as to where to find these files ad code so we can delete them?

  • xChris says:

    When I see messages on sites like “update your codec” etc etc, I am sure 100% is a mal/ad-ware so I report them asap to:

    http://www.google.com/safebrowsing/report_badware/

  • Alan says:

    Gophoto appeared on my MacBook Air (probably via the First Row sports web site) Thanks for your help on identifying the problem of increased ads popping up on screen and redirection when browsing. I have been able to disable the extension in Firefox but have not been able to remove it from the Mac. When I follow the path “~/Library/Application Support” there is nothing for Mozilla or Firefox. If I follow “~/Library/Mozilla” the only item that is there is “Global.regs”. The problem of pop up ads appears to have been removed but I would prefer to delete this adware completely from the Mac. Can you please advise how I can resolve this? I am using MAcBook Air mid 2011 with OSX 10.9.2

    • Thomas says:

      Removal instructions are found in my Adware Removal Guide.

      If you’re not finding Mozilla or Firefox folders in ~/Library/Application Support, you’re probably looking in the wrong Library folder. Be sure you are looking in the one in your user folder.

  • Alan says:

    Brilliant – thank you. Located the folder as a “hidden” folder but then managed to delete adware from Mac following your guide.

  • Barb says:

    Thanks for the detailed and careful instructions. Here’s my story in case it helps anyone. I got infected with the Genieo yesterday (4/7/14) and luckily found these instructions. Although I didn’t opt in to the initial prompt to default to Genieo as my search engine, I was already infected because it was redirecting. Luckily I did not run the uninstaller. I just dragged the installer, app, and uninstaller into the trash. I never did find that file ‘launchd.conf’ nor did I find or thus delete any of the genieo files that would depend on it (.dylib). I did find a bunch of .plist files with genieo name in them which I removed (different names than the instructions but they’re probably just new names to fool antivirus software). You do really have to be careful to look in all of the ‘Library’ folders because I only found them after some sleuthing. I am not a mac expert so had to google around to learn where to find all of them. After removing everything I could find per the GREAT instructions, I rebooted and then looked around for the .framework file. I found none. But, the browser was still redirecting – bummer! I then checked /etc/hosts and that looked normal. No extensions in the browser that could be a problem. I finally did a restore to defaults in chrome and that seems to have worked. I hope I got everything. I am still spooked because I never found the launchd.conf.

    I was running latest google chrome. I was running Lion on iMac, have just upgraded to Mavericks so I can install and run a some antivirus and anti malware programs.

    A couple questions:

    Is there just one place to look for /private/etc/launchd.conf? It looks that way but am not certain.
    Does it sound like there is something else I need to do to be safe from genieo?

    • Al says:

      > Is there just one place to look for /private/etc/launchd.conf? It looks that way but am not certain.

      Yes, that’s the only place you need to look. As the instructions say, not all files will be present and the version that came out last week no longer uses that location.

      > Does it sound like there is something else I need to do to be safe from genieo?

      I think you covered it all, but if you spot anything else come back and ask here or on the Apple Support Community forum.

  • Gabiee says:

    This site saved my life!! THank you so much!

  • Lizzie says:

    Thank you Safe Mac! I picked up geneio after downloading what appeared to be a driver to use Logitech speakers with a mac- but when I tried to open the downloaded file- up came geneio.

    I followed your instructions- couldnt find the initial /private/etc/launched.conf file, but several of the files under step three.

    Followed the whole process, and when eventually restarted could find no evidence of geneio anywhere, except that IT STILL APPEARED IN CHROME. I did as Barb said and reconfigured my Chrome to default settings, and it seems to be gone but….

    is there anywhere else I should be looking?

  • Paul says:

    Hi there,

    Wanted to say a big thank you for the detailed information on how to uninstall Genieo.

    The instructions were very straightforward to follow and now I am a happy chap with the adware removed. Plus I have also learnt a few things about my mac, (I have recently moved from Windows based PC’s.)

    I have bookmarked your home page and will refer to it on a continual basis as it is a very good source of info.

    Many thanks

    Paul

  • Viomeb says:

    Followed your guide after having problems with Geneio, VSearch, and IPS.adwingate.com. Located files, trashed files, restarted, and emptied trashcan. Worked perfectly.

    Thank you so much!

    John

  • Jennifer says:

    I just got infected with this Fake Flashplayer updater. I removed the Photo.it extension, jollywallet and some others from my extensions. I have been reading your site for over an hour or more now and still cannot remove this distracting ads… do the above instructions explain how? I will try again tomorrow and read your instructions above, but at this point am very discouraged. I am afraid to go into file paths and system stuff to fix the problem. Is it hard to fix? thank you very much… jennifer

    • Thomas says:

      The removal instructions are in my Adware Removal Guide. If you find that you’re not able to, or afraid to, follow them for whatever reason, you’ll need to find someone near you who can sit down in front of your computer with you and help with that.

  • ramez says:

    Thank you so much, i was infected by VSearch and Gophoto by trying to download a CNBC series which is available for free in the USA but can’t access from outside the USA. so i found it on torrentz.eu and i must have downloaded the adware mentioned above. it is so bad that almost every click takes me to a different unwanted site.

    I called apple care and they couldn’t help me. i uninstalled chrome several times even using appremovel apps and nothing changed. then i did a search on adware removal mac and your site came across. i followed all your steps and sure enough i am free of this hideous adware.

    thanks soooooooooo much

  • Michael F. says:

    My late-model iMac was infected by VSearch/DownLite (lps.adwingate.com) and Genieo after visiting a dodgy movie site. Genieo was not too difficult to eradicate (or at least I hope it’s eradicated) but VSearch/Downlite totally evaded me until I found your great anti-adware site. I followed your instructions carefully and everything appears to be OK now. I never would have solved the problem on my own. I am grateful and have made a donation to support your efforts. THANK YOU!

  • Mandy F says:

    THANK YOU THANK YOU THANK YOU SO MUCH!! My husband had done an update last night for either Java or Adobe Flash Player. He isn’t sure which. I noticed the Genieo was our new default search engine and there was some sort of program scanning our Mac. I deleted both programs, but was still not completely confident they had been removed. The other scanning program is completely gone from my Mac, but the Genieo was still there even though I had uninstalled it. The Adware Removal Tool worked and deleted the rest I didn’t get! I cannot tell you how much I appreciate this!

  • Aissa says:

    THANK YOU! THANK YOU !!! THANKYOU. You are amazing… Saved up for ages to replace my 2006 macbook with a refurbished Mac Pro just 8/9 weeks ago and got malware trojan evil add pop ups. So worried all was lost. Peer pressure to get a torrent, I will never give in again!!!! I downloaded your software. Hours of looking at ways to do it myself and it was solved in under 5mins. You are so generous to share this. Thank you very much <3

  • KIrsten says:

    Thanks so much! I donated as I was relieved to get rid of this bug so easily following and downloading your FREE!! fix. I took the plunge and trusted and its taken me longer to write this that it took to automatically fix the issue Thanks again- You rock!

  • alban says:

    how do i get it off chrome on my mac its not in the extensions

  • Laura says:

    I am not sure how the Genieo thingy had installed on my MBP but I was cleaning today the apps I don’t use and there it was.
    Thanks a lot for the Removal script. Worked like a charm!

    Next step: change all my passwords… ;-)

  • Ronald says:

    I just run through the “adware removal guide” and was able to remove adware which was infecting my Imac.
    Thank you very much for your advice, it appears that everything was removed successfully !

  • Charlie says:

    Thanks for the advice and the adware removal device, much appreciated!

This post is more than 90 days old and has been locked. No further comments are allowed.

This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.