Surreptitious Application Installation

From ema
Jump to: navigation, search
EMA ID: ema-1085
Description: In OSX, application directories and files can be installed unbeknownst to the user. Web browsers and search engines can also be hijacked set to specific defaults. These files persist until the user manually deletes them.
Associated Behavior: persist after system reboot

Supporting Details:
One example is Geneio. Geneio is a byproduct of the DYLD_PRINT_TIFILE vulnerability and can gain access to the MAC Keychain. It persists until it is removed by the user.

When the program is executed, it creates the following files:

  • /Application/Genieo.app
  • /Applications/Uninstall Genieo.app
  • ~/Library/Application Support/com.genieoinnovation.Installer/Completer.app
  • ~/Library/LaunchAgents/com.genieo.completer.download.plist
  • ~/Library/LaunchAgents/com.genieo.completer.update.plist
  • ~/Library/Safari/Extensions/Omnibar.safariextz
  • ~/Library/Application Support/Genieo/
  • /tmp/GenieoInstall.dmg
  • /tmp/tmpinstallmc.dmg


Next, the program changes the default search engine and homepage to the following domain: search.genieo.com

The program then installs the following browser extension: ~/Library/Safari/Extensions/Omnibar.safariextz

When the user inputs a search query it will appear to be carried out using Google Search but the results will be from genieo.com.


Inherited Attributes:

applicable platform: Mac OS X (unknown version), Mac OS X 10.0.x, Mac OS X 10.1.x, Mac OS X 10.10.x, Mac OS X 10.11.x, Mac OS X 10.2.x, Mac OS X 10.3.x, Mac OS X 10.4.x, Mac OS X 10.5.x, Mac OS X 10.6.x, Mac OS X 10.7.x, Mac OS X 10.8.x, Mac OS X 10.9.x
References:
Date Malware Family URL
August 31, 2015 Genieo https://blog.malwarebytes.org/mac/2015/08/genieo-installer-tricks-keychain/
February 24, 2015 https://support.norton.com/sp/en/us/home/current/solutions/v103415336_EndUserProfile_en_us
July 10, 2014 https://www.symantec.com/security_response/writeup.jsp?docid=2014-071013-3137-99