OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Malicious Genieo installers persist

Published June 21st, 2013 at 4:06 PM EDT , modified November 22nd, 2013 at 7:19 AM EST

I wrote about the problems with Genieo a couple times last month, when it was discovered that Genieo was being downloaded through fake Flash Player update pop-ups on some sites. Further research showed suspicious code inside the Genieo installer. Following those developments, Dr. Web and Intego both decided to add detection of Genieo as malware to their anti-virus products. Folks from Genieo’s support informed me that these problems would be taken care of. Unfortunately, one month later, it looks like problems with Genieo persist.

A post on the Apple Support Communities caught my eye a couple days ago, in which it was claimed that Genieo was now being downloaded through a page that claimed to offer a video plug-in to view their content. After some probing, I was directed to the problem site:

Genieo fake codec 1

 

On this site were a number of buttons, leading to a number of different sites that did not seem to be directly related to the one shown above. All of these sites had questionable or poor ratings in Web Of Trust. This page seems to be a gold mine of potential security-related issues, including (on about one out of every three times reloading the page) a fake Flash Player scam that led to an Android ringtone site that I would guess might be used to infect Android phones with malware.

Of most relevance to this particular investigation, though, was the yellow banner along the top of the screen, looking like an alert that a web browser might display and offering to install an “HD video codec.” On clicking the button in that banner, I was redirected to yet another questionable site, with a link to click to start the download:

Genieo fake codec 2

 

InstallGenieo appOn clicking this link, rather than a video codec downloading, I ended up with a file named InstallGenieo.dmg. Opening this disk image file results in a window opening that contains an installer named “InstallGenieo”. Although the icon would seem to suggest that this is an Apple installer package, it is not. It’s actually a full application that has been given the same icon as an installer package file.

Running the installer creates a number of files, but not in the typical locations one would expect for this sort of thing. Similar adware usually installs a browser-specific extension/add-on, but the Genieo installer does not. It gains control of your search engine through sneakier means, by installing a couple dynamic libraries that are loaded by a low-level Unix configuration file. These items are created in invisible Unix folders at the root of the system drive, where the average user will never find them. Intego included a good description of these files in a post on the subject of Genieo last month.

Running the provided uninstaller seems straightforward enough, and beyond the fact that it doesn’t reset your browser’s home page (even if you check the box in the uninstaller that offers to do just that), it seems to work just fine. But in reality, Genieo is sneaky again. The installer will add a framework file, called GenieoExtra.framework, in the /Library/Frameworks folder. This framework contains a process with the deceptively misleading name “Application,” which is kept constantly running by a LaunchAgent file named com.genieoinnovation.macetension.plist, installed in the /Library/LaunchAgents folder. After running the uninstaller, I was dismayed to find that this framework was left behind, as was the LaunchAgent that keeps it running. Sure enough, looking in Activity Monitor, I found that sneaky Application process looking back at me. What it does, I’m not yet sure, but it’s highly suspicious! In addition, the uninstaller left behind one of the dynamic libraries, though the code to load it had been removed.

In all, these findings are very troubling. There is absolutely no good reason for Genieo to be behaving this way, while there are plenty of reasons lying in the range between just unethical to malicious. At this time, I would strongly recommend avoiding Genieo, and would ask that all anti-virus companies consider Genieo to be at least a PUA (Potentially Unwanted Application), if not actually malware.

Removal instructions

See the instructions for Genieo removal in my Adware Removal Guide.

Updates

June 21, 2013 @ 4:55 pm EST: I have gotten a pointer to a second site that pulls the same tricks:

nbastream genieo 1

 

Clicking the Install HD Streaming Player button in the yellow banner redirects to another site, different than the one mentioned earlier. Clicking the Install button on that site results in downloading a Genieo installer. However, while the previous installer was apparently for the “webpic” partner (in Genieo’s partner program), this one is for a partner referred to as “genSomM_16”.

June 21, 2013 @ 8:27 pm EST: A colleague has warned me that removing the /usr/lib/libgenkit.dylib without also removing /etc/launchd.conf will brick the computer! This is a good point… be sure not to make this mistake. Note that the uninstaller seems to properly unload those libraries, avoiding this problem, even if it fails utterly in other ways. I have clarified this above to prevent unfortunate accidents.

September 24, 2013 @ 5:24 pm EST: Changed the removal instructions slightly, to include manual removal of the launchd.conf file. Although that file is supposed to be removed by the uninstaller, I’ve had reports that indicate it may not be in all cases, and not removing it along with the other files will cause the computer to be unable to start up. So, for safety’s sake, I have added the redundant step of removing that file manually.

Note that I just tested the latest Genieo installer, and it does remove the launchd.conf file. However, I cannot guarantee that all uninstallers will do the same, as many Genieo partners seem to have their own installers (and uninstallers). Also, the latest installer still leaves the same components behind, as described back in June.

November 2013: Removed the removal instructions in favor of a link to instructions in my Adware Removal Guide.

Tags: , , ,

35 Comments

  • Someone says:

    So, since I don’t really want to have to go through the manual removal, risking my computer, is there a simple way to avoid installing this crap?

    • Thomas says:

      Fortunately, it’s not too hard… if an InstallGenieo.dmg file ends up on your computer, throw it in the trash without opening it! 🙂

      • Someone says:

        Thanks! Obviously, that means you need to keep the “open safe files” turned off — or use Chrome, which doesn’t have such a feature!

      • Mikromy says:

        I can throw it in the trash but the trash can’t delete it!?

        And still my virus program insists that the file still is where it was before I deleted it. I had it copied using time machine a while a go, so I don’t have a back up without it.

        Any suggestions and help for me?

        • Thomas says:

          If you are unable to delete the InstallGenieo.dmg file, and your anti-virus software is detecting it as malware, most likely your anti-virus software is preventing you from making changes to that file. Try disabling the anti-virus software and see if that makes a difference.

          If that’s not it, you have a more general problem with your computer. Even if Genieo is installed, that wouldn’t prevent you from deleting this file.

  • ab says:

    good info

  • Lance says:

    Prevent, prevent, prevent. Great. Now take a minute and explain REMOVAL. Can iAntivirus remove it?

    • Thomas says:

      I already discussed removal, which is a difficult issue. See the end of the article. As for iAntivirus, it will not detect Genieo as malware, it isn’t much good at detecting Mac malware to begin with, and it doesn’t have any kind of facility for updating its definitions (beyond the infrequent updating of the app itself).

      • Someone says:

        A few things:
        1. iAntivirus is sort of cruddy AV software… I would suggest ClamXav or Sophos.
        2. Wouldn’t you rather not have to go through removing a piece of crap in the first place by preventing it?

  • Tom says:

    Will Fortinet for Mac find this and removed this?

    • Thomas says:

      Probably not. Most AV software still isn’t detecting this as malware.

      • Someone says:

        I still say the best way to deal with this is to prevent it from ever happening. Most AV software probably will never see this as malware; only ADware. Annoying, yet technically harmless. So just prevent yourself from getting it. If you end up on a website saying you need to download something, force quit your browser, and if you see InstallGenieo in your Downloads folder, delete it. Easy peasy.

  • Lafaiete says:

    Will Intego detect Thomas ?

  • Lindsay says:

    I never intentionally installed Genieo, it just showed up on my computer one day (probably through a fake flash player download, as I watch a lot of TV online). I used to just always close the application when I started up my computer (which wasn’t often, so it was rarely a problem) but lately I’ve been having computer issues and then the icon at the top of the screen stopped being clickable, so I had to uninstall it to get the ads to go away. I only used the uninstaller and it worked fine – checked my library and that remaining launch agent file isn’t there.

  • Tom says:

    Dr Web found it as well as Intego Express. It was found on my daughters Mac and I installed it. Her Sophos had some warning a day or two before but she can’t remember. It was there plain as day on her desktop so I installed it and then used Intego to repair it. Scans with the above 3 say it is not there now.

    • Al says:

      This is probably going to sound strange, but at this point I would trust Geneio’s uninstaller more than either Dr. Web or Intego’s removal routines. I’m relatively certain that their detection routines don’t search out all the pieces and parts that are installed by this thing so just because they say it’s not there I’d be willing to bet there are still component parts. Hopefully they aren’t active components, so they won’t do anything but take up a small amount of space.

      I can’t speak for Dr Web, but neither Sophos nor Intego found the “libgenkit.dylib” on my computer the day before this article was posted.

  • jorisw says:

    Good job. Post instructions that brick a computer, than post an update at the end of the article reiterating not to do that. Jesus Christ. Thanks.

    • Thomas says:

      Actually, if you bothered to read it, the issue is in not following the instructions properly. If you follow the instructions as I wrote them, it shouldn’t cause a problem. Further, my instructions already say to run the Genieo uninstaller as the first step.

  • jorisw says:

    Should anyone else make the mistake of following the Terminal commands on this blog post without first running the Uninstaller app, do this to fix it:

    – Start up the Mac with Shift down, so it boots in Safe Mode
    – Open Safari
    – Google “uninstall genieo Mac”
    – Download the uninstaller app
    – Run it
    – Restart the Mac

    .. and all will be good.

  • Eyal says:

    Immediately remove misleading content about Genieo to avoid further action

    Your sites (and links to your sites) contains misleading and defamatory information about Genieo software.  

    We strongly suggest to remove this content within 48 hours to avoid further offenses.
    Genieo is a legitimate software, following the internet most strict policies and industry standards: http://www.genieo.com/press/

    In contrast to your libel, Genieo (alone or as software-bundle) is selected by the user and any changes it performs are user approved as we follow our EULA and internet standards.

    If you are unhappy with our software, Genieo contains an uninstall package and has clear uninstall instructions at http://www.genieo.com/faq/#uninstall

    As your publications are intentionally false and damaging our business and good brand name, Genieo will be forced to take further legal action if you do not remove ALL such content by you and your associates within 48 hours.

    You are liable for any damage you incurred to Genieo and its users.

    Eyal,
    The Genieo Team.

    • Unhappy says:

      Eyal, I’ve run the reuninstall several times, followed all instructions properly and still Genieo appears on my chrome browser for my macbook.. For a company that claims to be legit, people are sure having a tough time getting rid of it. If it looks like honey, smells like honey and tastes like honey, it’s probably honey. You, sir, are malware.

    • vacri says:

      Good company name? Following internet standards? What nonsense. Why would you design a product that evades the user’s desires to select alternate search engines in their own software… if you were ‘following standards’.

      Thanks, Thomas, for the instructions to remove this malware.

  • Genieo support says:

    Hi Unhappy,

    Once Genieo is uninstalled and does not exist in your start application folder,
    Please go to your browser settings (CMD + ,) and change the default homepage and search to match your decision.

    you can also see instructions in the following links
    Chrome:
    Home page:
    http://support.google.com/chrome/bin/answer.py?hl=en&answer=95421&topic=1735105&ctx=topic
    Search provider:
    https://support.google.com/chrome/answer/95426?hl=en&ref_topic=14676
    IE: http://support.microsoft.com/kb/252464
    FF:
    Home page:
    https://support.mozilla.org/en-US/kb/How%20to%20set%20the%20home%20page
    Search provider
    https://support.mozilla.org/en-US/kb/search-bar-easily-choose-your-search-engine
    Safari: http://browsers.about.com/od/safar1/ss/safarihomepage_3.htm

    Best
    Genieo support

  • beth says:

    Hi perhaps Genieo has changed some things since your post making your deletion instructions incorrect. I ran the uninstaller and followed your instructions exactly. When I restarted my computer as your instructions said to do, my computer wouldnt get past the grey start up screen. I couldnt open it in safe mode either. Had to take the computer into Apple geniusbar. I’m hoping they’ll be able to do a software reinstall but save all my data! Anyone who wants to try this tutorial should make sure they have absolutely everything backed up and be prepared to lose whatever is on their computer…moral of the story: don’t install genieo to begin with!

    • Thomas says:

      That sounds like the uninstaller did not correctly remove the /usr/lib/libgenkit.dylib /etc/launchd.conf file, as it should. I’ve also gotten another response from a reader today saying that no instructions have worked to remove the software, including those above. Perhaps the Genieo support folks would care to comment?

      • beth says:

        So any suggestions since it sounds like the uninstaller didn’t do what it said it was going to do? Apple Genius bar said they couldnt get the reinstall to work and are now talking hard drive replacement. Whatever that stupid program is, it really messed up my computer. Fingers crossed for some sort of data recovery…

        • Thomas says:

          If they had to replace the hard drive, that’s not related to installing Genieo, or anything else. All hard drives fail with time, it’s just a matter of when. You drive had probably been on the verge of failing for a little while now.

          • beth says:

            Ok, well, say its not a hard drive problem and the genieo uninstaller did not correctly remove the /usr/lib/libgenkit.dylib file before I did your manual uninstall instructions. Then how would you go about fixing it? The Genius Bar diagnostics said they were able to do a single-user boot but when they attempted a verbose boot, it stops after getting the kernel going.

          • Thomas says:

            Actually, I mis-spoke, I meant the /etc/launchd.conf file wasn’t deleted. In any case, though, you should have been able to boot in safe mode and then run the uninstaller again. Since you couldn’t boot in safe mode, it makes a lot more sense now that we know your hard drive was going bad. Most likely, it had nothing to do with the uninstaller not removing /etc/launchd.conf and everything to do with the hard drive’s failure.

      • Beth says:

        Turns out that the problem was not HD related and was almost certainly a Genieo related issue. A complete erase and reinstall fixed everything. Perhaps you should add the /etc/launchd.conf file to the list of files to manually delete before restarting and deleting the framework. If someone else runs into this problem, try starting up in target disk mode through firewire connection with another computer. You can at least get your files off your HD and then do an erase and reinstall.

  • Nathan says:

    Just wanted to say thank you for the tip regarding removing /etc/launchd.conf. This fixed my customer’s bricked macbook pro!

    • beth says:

      How did you go about deleting this?

      • Nathan says:

        Hi Beth,

        I used an external bootable drive to boot from. Then I used Go To Folder… and found the hidden launchd.conf file and deleted it. Restarted machine and all back to good!

        If you don’t have a bootable external hard drive, you could reboot the infected Mac using Target Disk Mode to a working Mac and do the same thing.

        Good luck!

This post is more than 90 days old and has been locked. No further comments are allowed.