+ surreptitious application installation
|Description:||In OS X, application directories and files can be installed unbeknownst to the user. Web browsers and search engines can also be hijacked set to specific defaults. These files persist until the user manually deletes them.
One example is Geneio, a byproduct of the DYLD_PRINT_TIFILE vulnerability. Geneio can gain access to the MAC Keychain and persists until removed by the user. When the program is executed, it creates the following files:
Next, the program changes the default search engine and homepage to the following domain: search.genieo.com The program then installs the following browser extension: ~/Library/Safari/Extensions/Omnibar.safariextz When the user inputs a search query it will appear to be carried out using Google Search but the results will be from genieo.com. Genieo (8/31/2015): https://blog.malwarebytes.org/mac/2015/08/genieo-installer-tricks-keychain/ https://support.norton.com/sp/en/us/home/current/solutions/v103415336_EndUserProfile_en_us https://www.symantec.com/security_response/writeup.jsp?docid=2014-071013-3137-99
|Associated Capabilities/Subcapabilities:|| Persistence