Malicious download installs Genieo and GoPhoto.it adware
Published November 26th, 2013 at 3:39 PM EST , modified November 27th, 2013 at 12:25 PM EST
I have written previously about Genieo, which is adware that has used somewhat sneaky methods to get installed in the past, and whose uninstaller leaves behind deceptively-named components that remain actively running afterwards. This is bad news, but at least Genieo has always, to my knowledge, required the user to manually run an installer clearly named “Install Genieo”, regardless of what the site it was downloaded from called it. This is no longer the case, as I have found an installer that does not behave this way. In addition, this installer also installs the GoPhoto.it adware, which I have never written about.
The installer in question is downloaded from a site offering a “FirstRow Sports app,” which purports to allow the user to watch a variety of sporting events live at no charge. Of course, the site also redirects users to all manner of other scam sites, such as a “free movie” site and a MacKeeper ad site.
Often, though, these sites are opened as “pop-unders,” meaning that they open in a window behind the current browser window, so the user may not find them until much later and may not associate them with the site generating them, and thus with the downloaded app.
Users who download the app will find themselves in possession of a SportsApp_Mac_Installer.zip file, which expands into what looks like a standard Apple installer package. It even has the same icon as an installer package. However, it is actually an application.
When opened, the application immediately mimics the Apple installer, but oddly, it seems to be offering to install GoPhoto.it:
If the user continues with the installation, the next screen contains a license agreement for Genieo:
Continuing from here results in completion of the installation. However, the promised live sports streaming app never materializes. There is no such app added to the system anywhere. The sole payloads appear to be GoPhoto.it and Genieo.
After installation completes, the Genieo installer begins. Interestingly, this older Genieo installer (dating back to August of this year) does not seem to install a lot of the sneaky junk that more recent Genieo installers do. Removal of this version of Genieo seems simple: just delete the Genieo and Uninstall Genieo apps and change your browser’s home page back to what it was before. However, I nonetheless advise following the full removal procedure found in the Genieo removal section of my Adware Removal Guide. If none of the other files are found, great, but it’s important to look, just in case something changes.
GoPhoto.it removal is also simple for the most part, although Firefox users will have a file installed that disables some of Firefox’s security features relating to Firefox add-ons. To remove this, see the GoPhoto.it removal section of my Adware Removal Guide.
This is really nothing particularly new. Adware is becoming more and more prevalent for the Mac, and as a result, great care is needed when downloading new apps. I mention this particular case mostly as an illustration of what can happen if you aren’t careful, and a reminder to avoid shady sites when downloading software. Keep in mind that even some fairly mainstream download sites, such as Download.com and Softonic, are guilty of inserting adware into their downloads. (See Boycott CNET’s Download.com and Boycott Softonic.)
November 27, 2013: If you scroll down to the comments, you will notice a lengthy discussion between myself and someone calling himself “ThomasFake,” who portrays himself as a satisfied user of Genieo. I was suspicious, though, so I finally decided to do a little digging.
This individual, posting from what looks like a fake GMail account, has posted all comments from the IP address 220.127.116.11. This IP address turns out to be located in Israel, which is where Genieo (the company) is located. Acting on a hunch, I decided to look back through my e-mail messages, and found that messages I have exchanged with several different Genieo representatives came from that same IP address:
A little more digging turn up the fact that this same IP address has been used to repeatedly edit the Malware section of the Genieo page on Wikipedia.
Another fake user, calling himself simply “Thomas,” who actually started the discussion that was then continued by ThomasFake, is posting from 18.104.22.168, which is another Israeli IP address. This address has also been very active in editing that Wikipedia page.
I am choosing to allow those comments to stand rather than censoring them. However, I reserve the right to block any future comments from either of these users.