Surreptitious Application Installation

From ema
Jump to: navigation, search
EMA ID: ema-1085
Description: In OSX, application directories and files can be installed unbeknownst to the user. Web browsers and search engines can also be hijacked set to specific defaults. These files persist until the user manually deletes them.
Associated Behavior: persist after system reboot

Supporting Details:
One example is Geneio. Geneio is a byproduct of the DYLD_PRINT_TIFILE vulnerability and can gain access to the MAC Keychain. It persists until it is removed by the user.

When the program is executed, it creates the following files:

  • /Application/
  • /Applications/Uninstall
  • ~/Library/Application Support/com.genieoinnovation.Installer/
  • ~/Library/LaunchAgents/
  • ~/Library/LaunchAgents/com.genieo.completer.update.plist
  • ~/Library/Safari/Extensions/Omnibar.safariextz
  • ~/Library/Application Support/Genieo/
  • /tmp/GenieoInstall.dmg
  • /tmp/tmpinstallmc.dmg

Next, the program changes the default search engine and homepage to the following domain:

The program then installs the following browser extension: ~/Library/Safari/Extensions/Omnibar.safariextz

When the user inputs a search query it will appear to be carried out using Google Search but the results will be from

Inherited Attributes:

applicable platform: Mac OS X (unknown version), Mac OS X 10.0.x, Mac OS X 10.1.x, Mac OS X 10.10.x, Mac OS X 10.11.x, Mac OS X 10.2.x, Mac OS X 10.3.x, Mac OS X 10.4.x, Mac OS X 10.5.x, Mac OS X 10.6.x, Mac OS X 10.7.x, Mac OS X 10.8.x, Mac OS X 10.9.x
Date Malware Family URL
August 31, 2015 Genieo
February 24, 2015
July 10, 2014