The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


Malicious download installs Genieo and GoPhoto.it adware

Posted on November 26th, 2013 at 3:39 PM EDT

warning

I have written previously about Genieo, which is adware that has used somewhat sneaky methods to get installed in the past, and whose uninstaller leaves behind deceptively-named components that remain actively running afterwards. This is bad news, but at least Genieo has always, to my knowledge, required the user to manually run an installer clearly named “Install Genieo”, regardless of what the site it was downloaded from called it. This is no longer the case, as I have found an installer that does not behave this way. In addition, this installer also installs the GoPhoto.it adware, which I have never written about.

FirstRow Sports appThe installer in question is downloaded from a site offering a “FirstRow Sports app,” which purports to allow the user to watch a variety of sporting events live at no charge. Of course, the site also redirects users to all manner of other scam sites, such as a “free movie” site and a MacKeeper ad site.

Often, though, these sites are opened as “pop-unders,” meaning that they open in a window behind the current browser window, so the user may not find them until much later and may not associate them with the site generating them, and thus with the downloaded app.

Users who download the app will find themselves in possession of a SportsApp_Mac_Installer.zip file, which expands into what looks like a standard Apple installer package. It even has the same icon as an installer package. However, it is actually an application.

When opened, the application immediately mimics the Apple installer, but oddly, it seems to be offering to install GoPhoto.it:

SportsApp install 1

 

If the user continues with the installation, the next screen contains a license agreement for Genieo:

SportsApp install 2

 

Continuing from here results in completion of the installation. However, the promised live sports streaming app never materializes. There is no such app added to the system anywhere. The sole payloads appear to be GoPhoto.it and Genieo.

After installation completes, the Genieo installer begins. Interestingly, this older Genieo installer (dating back to August of this year) does not seem to install a lot of the sneaky junk that more recent Genieo installers do. Removal of this version of Genieo seems simple: just delete the Genieo and Uninstall Genieo apps and change your browser’s home page back to what it was before. However, I nonetheless advise following the full removal procedure found in the Genieo removal section of my Adware Removal Guide. If none of the other files are found, great, but it’s important to look, just in case something changes.

GoPhoto.it removal is also simple for the most part, although Firefox users will have a file installed that disables some of Firefox’s security features relating to Firefox add-ons. To remove this, see the GoPhoto.it removal section of my Adware Removal Guide.

This is really nothing particularly new. Adware is becoming more and more prevalent for the Mac, and as a result, great care is needed when downloading new apps. I mention this particular case mostly as an illustration of what can happen if you aren’t careful, and a reminder to avoid shady sites when downloading software. Keep in mind that even some fairly mainstream download sites, such as Download.com and Softonic, are guilty of inserting adware into their downloads. (See Boycott CNET’s Download.com and Boycott Softonic.)

Updates

November 27, 2013: If you scroll down to the comments, you will notice a lengthy discussion between myself and someone calling himself “ThomasFake,” who portrays himself as a satisfied user of Genieo. I was suspicious, though, so I finally decided to do a little digging.

This individual, posting from what looks like a fake GMail account, has posted all comments from the IP address 46.117.204.204. This IP address turns out to be located in Israel, which is where Genieo (the company) is located. Acting on a hunch, I decided to look back through my e-mail messages, and found that messages I have exchanged with several different Genieo representatives came from that same IP address:

X-Originating-Ip: [46.117.204.204]

A little more digging turn up the fact that this same IP address has been used to repeatedly edit the Malware section of the Genieo page on Wikipedia.

Another fake user, calling himself simply “Thomas,” who actually started the discussion that was then continued by ThomasFake, is posting from 77.127.58.116, which is another Israeli IP address. This address has also been very active in editing that Wikipedia page.

I am choosing to allow those comments to stand rather than censoring them. However, I reserve the right to block any future comments from either of these users.

Post to Twitter

Tags: , ,


55 Comments

  • Jay says:

    Any of the AV currently recognizing all the installed components that you know of?

    • Thomas says:

      As far as I know, only Intego and Dr. Web have reliably decided to include Genieo in their definitions database. A couple other anti-virus engines on VirusTotal will identify a few of the Genieo installers, but not many.

      I haven’t tested to see exactly what components are detected by which engines.

  • Thomas says:

    wow so much spam, Thomas you’re not a reliable source of information, Genieo is not a malware.

  • Thomas says:

    How can you say Genieo is a malware when nearly ALL anti-virus don’t define it as such? some one is paying you to say those stuff, and you’re accusing a company for nothing!

  • JoshS says:

    Users who have been tricked into installing Genieo certainly call Malware; some even call it a virus which it isn’t.

    It’s certainly more serious than Adware.

  • ThomasFake says:

    I’ve seen you call Genieo a malware in several cases, but it doesn’t matter, what does it benefit you to defame Genieo? just to advertise your website?

    Any user with basic knowledge should be able to remove Genieo if he wants, same like any other software out there, why do you think it’s different? if Genieo was malicious you’d have seen that it would cause system problems and/or take sensitive information from the user, but it’s NOT the case, so I don’t see what’s your problem with Genieo, since you’re consistantly trying to blame them for something?

    • Thomas says:

      I believe that what I have written about Genieo speaks for itself.

      I have never before met anyone who wanted Genieo’s software on their computer. Everyone who mentions Genieo is looking for a way to get rid of it. I’m curious… what do you feel that Genieo does for you? What makes you like it so much that you’re willing to come here and harass me under a fake name?

  • ThomasFake says:

    I’ve seen many users that love Genieo and enjoy their newspaper, I don’t think you just know it, or willing to admit it.

    In any case, Genieo is giving you a newspaper based on what you surf, so it’s more customized, and it’s not bothersome if you remove the notifications.

    Genieo as a company seems to succeed, so I guess it speaks for itself, if they got enough users that use their software, it’s not of our judgement to say if it’s good or bad for the user, those that don’t want it don’t need ot download it in the first place, and if they do, they can remove it.

    • Thomas says:

      If you like Genieo, great. Tell me what you think about Genieo being installed instead of the claimed sports streaming app? Or, in previous cases, being downloaded after the user clicked a link to obtain an Adobe Flash Player update or video plugin? Or how about the fact that back in May I discovered code in the Genieo installer for downloading and installing the FkCodec malware? Are you okay with all of this.

      Personally, I think that you’re just a Genieo rep sent here for some astroturfing.

  • ThomasFake says:

    I don’t know about sports streaming applications, I’m not using any of those, and I don’t know about those video plugins or adobe flash player updates, but every user that got a brain shouldn’t download those stuff in the first place, if you want Genieo simply go to their website, same for flash player or a video plugin (which there’s no reason to download anyway if you’re using VLC as an example).

    There’s always malicious links and websites on the web, there’s a chance one or more of the distributors that work with Genieo aren’t using good methods but it’s not Genieo that does that, if you want to blame Genieo, blame their own links from their websites, not from something you found on the web that some private people or companies put there, that aren’t directly related to Genieo.

    • Thomas says:

      You’re welcome to your opinions. But you dodged the question of Genieo being caught in the act of collaborating in the installation of known malware. No opinions on that?

      As for capitalizing on “Genieo’s success”… I write about Genieo because people are constantly asking how to get rid of it. On Apple’s forums, for example, I see more people trying to find out how to remove Genieo than all other adware combined! These people need help, and the only thing they’re getting from Genieo support is “run the uninstaller,” which leaves behind all kinds of hidden junk that remains active.

    • linda says:

      I downloaded a user manual for a radio. BEHIND my browser, Genieo got into my Mac via this download. I was FURIOUS. I certainly have a brain ( retired science teacher) so don’t patronise me! I did not want Genieo and it was not quick nor easy to remove every part of it. It was sneakily downloaded without my permission and that is malicious. I’m glad I found how to remove it because the installer did not get rid of everything. It did nOT revert the homepage as you say, I had to do that manually in Preferences. How dare you interrupt my use of my Mac in this way. You interfered in my life and you and your aggravating Genieo are a plain malicious nuisance.

      • Thomas says:

        Just a quick note – be aware that the user you’re responding to is actually a Genieo employee under a fake name. I just point that out to make sure you’re not under the impression that those comments are in any way representative of me or this blog. I share your outrage at the way Genieo operates.

        • linda says:

          Thomas, I was responding *only to the Genieo guy, not to you; your blog has been useful, the Genieo employer patronising and ignorant of the aggressive way Genieo operates and how furious it makes people.
          He indicated one simply does not download it, but I am explaining it happened without by leave.
          I hope this guy better understands how people feel about this issue. I see he has ignored my post!Maybe he has disappeared since Nov 2013

  • ThomasFake says:

    And personally, I think you’re just trying to represent your website on Genieo’s success..it’s a shame, you should try to make stuff on your own =/

  • ThomasFake says:

    Thomas I don’t think Genieo is trying to manipulate the market by advertising their product with false links that don’t provide what they say they provide, it’s hard to refer to some unknown links you’re talking about.

    If you want to talk about Genieo, talk about their links, not links you find on the net that someone else might have modified for his own interests. And again, I’m not denying what you say, I just say that if you can’t prove any cooperation don’t blame Genieo, blame the website you found those links in, and post it that way.

    As for the people that ask for removing Genieo, running the uninstaller and removing the extension files, changing home page and search provider of the relevant browsers and deleting a few system files should do the work, though even if you don’t delete those the system files it won’t matter much (besides the little space on your pc) those files as far as I see aren’t active and won’t do any modifications.

    • Thomas says:

      Once again, you completely dodged the question. In May, I found code for installing the FkCodec malware in the Genieo installer that was available directly from the Genieo website. Genieo cannot dodge the responsibility for that, and I still have a code-signed copy of that installer for proof.

      As for the things left behind by the uninstaller, it’s very clear that you haven’t read much that I have written on the topic. The deceptively-named “Application” process left behind by the uninstaller, and kept running by a LaunchAgent, is well-documented in Malicious Genieo installers persist.

      Honestly, if you’re going to criticize my writings, don’t you think you should actually read what you’re criticizing?

  • ThomasFake says:

    It’s funny a friend of mine asked me a month ago about some software that’s doing exactly what Genieo is doing, changing your home page and search provider, and asked for my help since he thought it’s a virus.

    It’s mostly a problem of users that don’t know what they are doing and how the browser preferences works, but it’s easy to resolve and change it back, IF you got a clue.

  • ThomasFake says:

    Thomas could you please let me know what stuff is left behind that is active?

  • aa says:

    I see you have Genieo commenting about themselves :). They’ve been removing any unfavourable content at wikipedia too & blaming you for it.
    Anyway, the point was to mention that a couple of recent reports have shown /usr/lib/libimckit.dylib too

    • Thomas says:

      Interesting… I do notice that some things I added to the Genieo page on Wikipedia have been removed. (Either that or I’ve forgotten what I said!) Fortunately, it looks like someone else is keeping up with things there, as the page still mentions some of the problems.

      Thanks for the tip on the libimckit.dylib file… I’ll have to check that out. I haven’t noticed any versions of Genieo installing that file, but I’ll keep my eye out for it.

  • ThomasFake says:

    “Once again, you completely dodged the question. In May, I found code for installing the FkCodec malware in the Genieo installer that was available directly from the Genieo website. Genieo cannot dodge the responsibility for that, and I still have a code-signed copy of that installer for proof.”

    Again, I got no knowledge of that information you’ve written, but it’s in the past, and not relevant for today if you check the current links, so I see no point digging in there (unless you like to, but no one can validate it)

    “As for the things left behind by the uninstaller, it’s very clear that you haven’t read much that I have written on the topic. The deceptively-named “Application” process left behind by the uninstaller, and kept running by a LaunchAgent, is well-documented in Malicious Genieo installers persist.”

    Did you check recent Genieo installations after running the uninstaller? is that Application proccess still running after the uninstall? or are you again refering to something that’s not valid to the present?

    • Thomas says:

      I have verified the uselessness of the uninstaller periodically, as recently as last week. It actually leaves more things behind in the present version than it did back in May. This is most definitely a concern that is valid at the present time.

      As for a proven association with malware in the past, that is absolutely relevant information!

  • ThomasFake says:

    the uninstaller does remove most of the Genieo files, and revert the home page and search provider to what they used to be before Genieo got installed, some files are left behind, but it doesn’t make the uninstaller useless, and this is the solution most noobish user wants, the other files left behind don’t seem to do any harm, unless you got any evidance they do make some malicious stuff?

    • Thomas says:

      It actually does not revert the home page. I have tested that repeatedly, and have never had it properly reset. In fact, the uninstaller actually tells you when it completes that you need to go do that manually. So I’m not sure where you’re getting your information.

      As for the stuff that gets left behind, it really doesn’t matter what that stuff does. The fact is that 1) it is left behind, and 2) it continues running in the background. For a trusted app, this would be a nuisance, and I’m sure the problem would be addressed quickly. In this case, it has remained unaddressed since at least May, and the processes in question belong to an app that has had a known association with malware in the past. Are you really telling people that they should blindly trust that those processes are benign, simply because nobody has yet demonstrated otherwise?

  • aa says:

    [URL removed to avoid linking to a scam site]

    is another route to Genieo – more obvious than many once you’re redirected – but typical of the outright misleading methods used by Genieo partners to drive traffic their way.

    • Thomas says:

      That didn’t take me to a Genieo download. Often, though, those kinds of sites will redirect randomly, so one time you may get one thing and the next time something else.

      I did see a similar site recently that did something similar, and one of those redirects led me to a Genieo download.

  • aa says:

    I see, it led to Genieo several times in a row here, but they vary, for sure.
    first :

    [URL removed]

    then :

    [URL removed]

    which will get you a sample of the engine.plist requested elsewhere – although it only references something within the main Genieo app.

    • Thomas says:

      Thanks for the link to that variant of Genieo. Sorry I keep removing the links, I just don’t want to contribute to increasing their ranking on Google.

  • Thomas says:

    Thomas the revert got a bug with resetting Safari HP, but on Chrome and Firefox it works properly, and I’m aware of that bug. about that process I agree it should be tested since it’s not good it’s left behind, though it’s probably yet another bug.

    Genieo is a small company, it might take them time to fix those stuff, though I agree they should fix it asap.

  • bentkitty100 says:

    Ah, the sadness of astroturfing…

    I’m a little surprised that the MacKeeper people never tried to astroturf here… Then again, they did try to offer you a job…

  • Logan says:

    Has Apple been notified to block it with XProtect? – and has Apple updated it’s XProtect definitions?

    • Thomas says:

      Most anti-virus apps don’t recognize these things as malware. XProtect is no different, unfortunately. It contains no definitions for either Genieo or GoPhoto.it.

  • kath says:

    I have spent a whole morning finding out and uninstalling geneio software off my mac,,,,it is indeed a virus,,,and absolutely misleading I will never download off softonic again!!!!!!

  • Bill says:

    I saw a user on another forum remark that he had an unknown IP address try to access his Mac after inadvertently installing Geneio. I had same thing happen. At time i just figured it was a random mac looking for an internet connection but now im sure it is related to Genieo. Is there any way to check on this and be sure i’m through with it. Thanks.

  • SteveLaudig says:

    Genieo was hogging and bogging. My mac performance improved significantly after removing it. I never knowingly installed it. I read somewhere that the development firm is Israeli and may have government/military links.

    • Thomas says:

      It is an Israeli company. I have no information about whether it may have government or military affiliations. I would think not, though, as the code has been scrutinized by multiple security firms. If it were doing anything other than shoving advertising in your face, it would be big news and would be detected as malware by more than a tiny handful of anti-virus apps.

  • PK Hunter says:

    To anyone trying to actually argue that Genieo is useful. Seriously, die already. Genieo is NOT useful. Thank you to the author of this page to post this very useful information!

  • Regnier says:

    Hi,
    The above instructions do not suffice for me to get GoPhoto.it Installer off my 2012 imac/Safari.

    I found no extensions in safari per your advice but I do not see how you explain uninstalling the junk program. I can’t even quit GoPhoto.it Installer.

    Would be grateful for advice!

    • Thomas says:

      There is something going around right now that has an installer that doesn’t quit properly. I have a copy, but cannot replicate this behavior in my test system. Force quit the installer (press command-option-esc, select it and click Force Quit), then you can delete it. This particular installer will install both Genieo and GoPhoto.it. See the removal instructions referred to in the article. If you don’t find all components, it may be that the installer did not finish.

  • SS says:

    Hi,

    I could really use your help I am not sure what to do. I installed Genieo by mistake it was hidden as a flash update. I then ran the uninstaller that came with it. I have been reading your removal guide and here is the problem.
    I don’t have: /private/etc/launchd.conf
    The only ones I have are:
    /Library/LaunchAgents/com.genieoinnovation.macextension.plist

    /Library/PrivilegedHelperTools/com.genieoinnovation.macextension.client

    /usr/lib/libgenkit.dylib

    And I have the framework file.

    I know it’s bad I have the .dylib and not the launchd. I am sorry I can’t remember what website it came from but I still have the fake installer if that helps.

    Please tell me what to do, it would be much much appreciated. Also, do I have to be worried about using the computer for things with my password? What does it do exactly.

    Thank you soo much!

    • Thomas says:

      Did you run the uninstaller? If so, it may have removed the launchd.conf file while leaving the .dylib file behind. If not, I would recommend seeking professional assistance.

      By the way, I opted not to respond to the e-mail you sent privately, because the e-mail address (cashmoney___@[redacted].com) looked like a fake spammer or phishing address. I gather at this point that it was probably valid. I imagine your e-mail has probably caused others some anxiety as well, and may even cause your e-mails to get caught in spam filters. You may want to consider changing it.

  • SS says:

    Hi,

    Thanks for your response! I just used a old junk account of mine because I didn’t want to log into my other addresses with the malware on my computer. I did run the uninstaller. What do you suggest I do now? Simply remove the rest of the files?

  • SS says:

    Thanks for clarifying and helping me out by responding I really appreciate your time. Do we know what harm this malware can cause?

    • Thomas says:

      Most anti-virus companies don’t consider it malware. It’s just adware. It has been known to use some pretty shady tricks to get installed, but doesn’t seem to actually do anything harmful. (Though it probably gathers your web browsing history to create your “newspaper styled start page.”)

  • SS says:

    Great, thanks for the information. I wish you all the best!

  • Xav says:

    I downloaded the uninstaller to remove Genieo noting that it had left files on my computer, and whilst hunting for a way to remove them, stumbled upon your site. Since downloading the uninstaller and running it then running ClamXav it detects this trojan:
    Filename Infection Name Status
    /Documents/Quarantine/804QyxLu.exe.part Osx.Trojan.Genieo Quarantined

    What is it?

    This is becoming I real pain in the ass, I don’t even know how Genieo was installed on my computer in the first place.

    • Thomas says:

      Don’t use the uninstaller, it doesn’t work. You’ve got to use something like my manual removal instructions. Be sure to follow those instructions precisely and you should be able to get rid of it. Note that, after running the uninstaller, a number of the files mentioned there will not be present, including the dangerous one that all the warnings are about… but it doesn’t get rid of everything!

      Genieo is detected as malware by some anti-virus apps, including ClamXav. It probably got installed when you downloaded something from the wrong place, as there are many sites out there offering ad-riddled junkware or legit software wrapped up in an adware installer.

  • Xav says:

    Also there still seems to be some Genieo process installed?

    sudo launchctl list | sed 1d | awk ‘!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}’
    Password:
    org.macosforge.xquartz.privileged_startx
    com.rim.tunmgr
    com.rim.BBDaemon
    com.microsoft.office.licensing.helper
    com.github.GitHub.GHInstallCLI
    com.genieoinnovation.macextension.client
    com.adobe.SwitchBoard
    com.adobe.fpsaud

  • Xav says:

    Thanks Thomas, sorry for the repeat rant, I managed to remove it in the end!

  • Cass says:

    I think it is very important to understand that if you somehow interfered with the installation and only have the issue of not being able to reboot, you may not have (and hence, be unable to find) anything related to Genieo. This is what happened to me, I also did not understand how to Force-Quit something without right clicking and having MAC give me the option.

    If you cannot find anything about Genieo on your MAC but you do have gophoto.it preventing you from restarting or shutting down your computer, all you need to do is force quit the application by performing one of the following:

    “-Switch to another app, such as the Finder, then choose Force Quit from the Apple menu. Select the unresponsive app in the Force Quit window, and click Force Quit.
    -Press Command-Option-Esc, then select the unresponsive app from the Force Quit window that appears, and click Force Quit.
    -Hold down the Control and Option keys on your keyboard, and click the icon of the unresponsive app in the Dock. Select Force Quit from the menu that appears.
    -Open Activity Monitor from the Utilities folder or the Spotlight menu. Select the unresponsive app in the Activity monitor window. Choose Quit Process from the View menu, or click the Force Quit button in the toolbar of the Activity Monitor window.
    -If you cannot switch from the unresponsive app, press Command-Option-Shift-Esc for three seconds to force it to quit. This key combination tells OS X to force quit the frontmost app.”

    I worked on this for about an hour before finding a blog where someone had the same experience as I did. Simple fix.

    https://discussions.apple.com/message/24817108?tstart=0#24817108?tstart=0

  • Astrid says:

    Same thing as Cass here. If you “Skip” the installation, you’ll still need to force quit the installer. The GoPhoto.it browser extensions are still installed despite “skipping” it. However, skipping the Genieo/GoPhoto items does prevent most of the files listed in this guide from being installed in /Library/ and elsewhere.

This post is more than 90 days old and has been locked. No further comments are allowed.

This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.