Malicious Genieo installers persist
Published June 21st, 2013 at 4:06 PM EDT , modified November 22nd, 2013 at 7:19 AM EST
I wrote about the problems with Genieo a couple times last month, when it was discovered that Genieo was being downloaded through fake Flash Player update pop-ups on some sites. Further research showed suspicious code inside the Genieo installer. Following those developments, Dr. Web and Intego both decided to add detection of Genieo as malware to their anti-virus products. Folks from Genieo’s support informed me that these problems would be taken care of. Unfortunately, one month later, it looks like problems with Genieo persist.
A post on the Apple Support Communities caught my eye a couple days ago, in which it was claimed that Genieo was now being downloaded through a page that claimed to offer a video plug-in to view their content. After some probing, I was directed to the problem site:
On this site were a number of buttons, leading to a number of different sites that did not seem to be directly related to the one shown above. All of these sites had questionable or poor ratings in Web Of Trust. This page seems to be a gold mine of potential security-related issues, including (on about one out of every three times reloading the page) a fake Flash Player scam that led to an Android ringtone site that I would guess might be used to infect Android phones with malware.
Of most relevance to this particular investigation, though, was the yellow banner along the top of the screen, looking like an alert that a web browser might display and offering to install an “HD video codec.” On clicking the button in that banner, I was redirected to yet another questionable site, with a link to click to start the download:
On clicking this link, rather than a video codec downloading, I ended up with a file named InstallGenieo.dmg. Opening this disk image file results in a window opening that contains an installer named “InstallGenieo”. Although the icon would seem to suggest that this is an Apple installer package, it is not. It’s actually a full application that has been given the same icon as an installer package file.
Running the installer creates a number of files, but not in the typical locations one would expect for this sort of thing. Similar adware usually installs a browser-specific extension/add-on, but the Genieo installer does not. It gains control of your search engine through sneakier means, by installing a couple dynamic libraries that are loaded by a low-level Unix configuration file. These items are created in invisible Unix folders at the root of the system drive, where the average user will never find them. Intego included a good description of these files in a post on the subject of Genieo last month.
Running the provided uninstaller seems straightforward enough, and beyond the fact that it doesn’t reset your browser’s home page (even if you check the box in the uninstaller that offers to do just that), it seems to work just fine. But in reality, Genieo is sneaky again. The installer will add a framework file, called GenieoExtra.framework, in the /Library/Frameworks folder. This framework contains a process with the deceptively misleading name “Application,” which is kept constantly running by a LaunchAgent file named com.genieoinnovation.macetension.plist, installed in the /Library/LaunchAgents folder. After running the uninstaller, I was dismayed to find that this framework was left behind, as was the LaunchAgent that keeps it running. Sure enough, looking in Activity Monitor, I found that sneaky Application process looking back at me. What it does, I’m not yet sure, but it’s highly suspicious! In addition, the uninstaller left behind one of the dynamic libraries, though the code to load it had been removed.
In all, these findings are very troubling. There is absolutely no good reason for Genieo to be behaving this way, while there are plenty of reasons lying in the range between just unethical to malicious. At this time, I would strongly recommend avoiding Genieo, and would ask that all anti-virus companies consider Genieo to be at least a PUA (Potentially Unwanted Application), if not actually malware.
June 21, 2013 @ 4:55 pm EST: I have gotten a pointer to a second site that pulls the same tricks:
Clicking the Install HD Streaming Player button in the yellow banner redirects to another site, different than the one mentioned earlier. Clicking the Install button on that site results in downloading a Genieo installer. However, while the previous installer was apparently for the “webpic” partner (in Genieo’s partner program), this one is for a partner referred to as “genSomM_16”.
June 21, 2013 @ 8:27 pm EST: A colleague has warned me that removing the /usr/lib/libgenkit.dylib without also removing /etc/launchd.conf will brick the computer! This is a good point… be sure not to make this mistake. Note that the uninstaller seems to properly unload those libraries, avoiding this problem, even if it fails utterly in other ways. I have clarified this above to prevent unfortunate accidents.
September 24, 2013 @ 5:24 pm EST: Changed the removal instructions slightly, to include manual removal of the launchd.conf file. Although that file is supposed to be removed by the uninstaller, I’ve had reports that indicate it may not be in all cases, and not removing it along with the other files will cause the computer to be unable to start up. So, for safety’s sake, I have added the redundant step of removing that file manually.
Note that I just tested the latest Genieo installer, and it does remove the launchd.conf file. However, I cannot guarantee that all uninstallers will do the same, as many Genieo partners seem to have their own installers (and uninstallers). Also, the latest installer still leaves the same components behind, as described back in June.
November 2013: Removed the removal instructions in favor of a link to instructions in my Adware Removal Guide.