Genieo adware proliferating
Published June 7th, 2015 at 9:00 AM EDT , modified June 7th, 2015 at 9:00 AM EDT
In recent months, several new variants of the Genieo adware have crossed my path. This adware is still pulling many of the same tricks – changing the search engine to Bing, and installing all kinds of junk that runs in the background and modifies browser behavior. However, it’s now using a variety of different names, perhaps in an attempt to make detection more difficult.
Until recently, variants of Genieo have only gone by two different names: Genieo and InstallMac. In the last few months, however, I’ve come across a number of new variants under new names: GoldenBoy, Texiday, and now Listchack.
In all these cases, a Safari extension by that name has been installed. In addition, these variants will install files in the user’s LaunchAgents folder having names and contents following predictable patterns. (LaunchAgents are used to keep processes running invisibly in the background at all times, even after restarting, or to run processes invisibly on a periodic basis.)
Some may question how I am able to connect these new names with Genieo. There are several ways. First, all of these variants include a Safari extension containing code that is identical in places to the older code found in Genieo’s Omnibar extension. All include the same three LaunchAgents, with minor changes to their names and content, that have been in use by Genieo and InstallMac for some time. And all seem to install the Genieo “Reset Search” app, a supposed uninstaller that has never done the job properly.
These Genieo variants are being installed through highly deceptive installers. In the case of the latest (Listchack), for example, the installer is downloaded from a site supposedly offering a download of the popular open-source VLC video player. The resulting download, however, is a disk image file called MPlayer.dmg, named for a different (and not legit) video player. Upon running the Installer app found on that disk image, the installer claims to be installing yet another player: Fast Player, one that I’ve never even heard of. And not a single one of these video players actually ends up being installed!
Avoiding these deceptive Genieo installers, and all other such adware installers, is fortunately quite easy: simply exercise care with what you download online. Only download from the developer’s site, and never download from other sites, especially “download aggregation” sites like Download.com and Softonic (which are both known to inject their own adware in many of their downloads). For more information on how to protect yourself from this kind of thing, see my Mac Malware Guide.
If you think you may have installed one of these new Genieo variants, you can remove it using my AdwareMedic app.