Genieo adware downloaded through fake Flash updates
Article taken from TheSafeMac
Genieo adware downloaded through fake Flash updates
Posted on May 21st, 2013 at 9:41 PM EDT
For at least a couple months now, I have been hearing a lot of reports of fake Flash update notices appearing on a variety of different web sites, and resulting in the download of a Genieo installer. It has been difficult to track down a source, so that I could see this in action, but I finally found one. Although I still don’t believe that Genieo is actually malware, there is definitely some monkey business going on.
First, let’s take a look at what Genieo is. Genieo is adware that will change your web browser’s home page to display a personalized page, gathering information that it thinks you would be interested in. Because this software is free, the old adage about free products applies: “If you aren’t paying for a product, you are the product.” Genieo pays for itself by selling and displaying personalized “advertorials,” which are just ads disguised as stories.
If this sort of thing is desirable to you, and you’re okay with allowing Genieo to monitor your online activities so that they can personalize this information for you, then I have no argument with that. Many other companies are doing similar things every day, and are being much sneakier about it. Genieo is fairly up front about what they do, though of course they apply the expected marketing slant to it to make it sound less threatening. Further, they’re an identifiable entity, with a registered web site and published contact information, including phone number and postal address as well as e-mail.
So, the question is, what’s up with these surreptitious Genieo downloads? That’s a question I’ve been trying to answer for two months, with little success until now. The fake Flash alert seems to be coming up on a variety of different ad-driven sites, but I’ve never managed to hit the right ad to trigger the issue. Thanks to a poster on the Apple Support Communities, however, I found a URL opened in a new tab by one of these ads. When visiting that URL, I was immediately told (through a JavaScript alert) that I needed to download Flash Player.
Clicking OK (the only option, apart from force-quitting the web browser) results in loading a page that looks like this:
Clicking either “button” will result in downloading a file named InstallGenieo.dmg. This file contains a Genieo installer app that looks exactly like the one downloaded directly from Genieo’s web site.
So, what is different about this installer, and who is benefitting from this? The answer seems to be tied up in the Genieo Partners Program, which – if I’m understanding the language correctly – would seem to compensate partners for promoting Genieo. Examination of the code shows that the “malicious” Genieo installer grabs a value from a property list file in the installer package, then contacts analytics.genieo.com, passing that value (which I’m guessing is a partner ID) in the URL.
The “real” Genieo installer does not do the same thing. [Edit: Was looking at the wrong bit of code.]
Inside the “malicious” InstallGenieo package, the value being pulled from the genieo.installer.plist file is clearly readable:
<key>HKEY_CURRENT_USER\Software\Genieo\Components\Partner\active_partner</key> <string>genTugM</string>
In the “real” Genieo installer (i.e., the one downloaded directly from the Genieo web site), this value is set to “genieo” instead of the “genTugM” value seen above.
What I’m guessing from all this is that one of Genieo’s registered “partners” is pulling this stunt in order to generate more revenue, by getting Genieo to pay them for installations they are tricking people into performing. This is obviously dishonest, and hopefully Genieo will shut this partner down and put an end to the scam.
As scams go, this one’s pretty lame. There’s very little attempting to convince the user that the download is actually a Flash Player installer, which will raise most people’s suspicions immediately. Still, there are always people out there who are willing to install anything, no matter what the source… and perhaps such “low hanging fruit” is exactly what the people behind this scheme are trying to pick.