+ surreptitious application installation

From ema
Jump to navigation Jump to search
EMA ID: ema-1022
Description: In OS X, application directories and files can be installed unbeknownst to the user. Web browsers and search engines can also be hijacked set to specific defaults. These files persist until the user manually deletes them.

One example is Geneio, a byproduct of the DYLD_PRINT_TIFILE vulnerability. Geneio can gain access to the MAC Keychain and persists until removed by the user. When the program is executed, it creates the following files:

  • /Application/Genieo.app
  • /Applications/Uninstall Genieo.app
  • ~/Library/Application Support/com.genieoinnovation.Installer/Completer.app
  • ~/Library/LaunchAgents/com.genieo.completer.download.plist
  • ~/Library/LaunchAgents/com.genieo.completer.update.plist
  • ~/Library/Safari/Extensions/Omnibar.safariextz
  • ~/Library/Application Support/Genieo/
  • /tmp/GenieoInstall.dmg
  • /tmp/tmpinstallmc.dmg

Next, the program changes the default search engine and homepage to the following domain: search.genieo.com The program then installs the following browser extension: ~/Library/Safari/Extensions/Omnibar.safariextz When the user inputs a search query it will appear to be carried out using Google Search but the results will be from genieo.com. Genieo (8/31/2015): https://blog.malwarebytes.org/mac/2015/08/genieo-installer-tricks-keychain/ https://support.norton.com/sp/en/us/home/current/solutions/v103415336_EndUserProfile_en_us https://www.symantec.com/security_response/writeup.jsp?docid=2014-071013-3137-99

Associated Capabilities/Subcapabilities: Capability.png Persistence

Associated With + surreptitious application installation
No results