In recent months there have been a growing number of concerns regarding a software package called Genieo, which in some cases seems to have mysteriously appeared on people’s Macs.
When installed, the software results in a number of headaches, stemming from the inability to change browser search engines, to advertisements and warnings popping up when people use their systems.
What is Genieo?
Genieo is a “content recommendation engine,” which is installed on a local system to allow custom searches and targeted advertising to be presented on a homepage, managed through a browser extension. In essence, it tracks what you do and guides your searches and activity to relevant commercial sites and deals.
This is somewhat similar to home pages like Google, Bing, Yahoo, or Facebook that offer their own recommendations, offers, ads, and other details based on your internet activity; however, while these do so from you logging into an online account, Genieo does so from being installed on your computer.
The Genieo engine and installer are openly available at the Genieo Website, and while the intention behind Genieo may have started as a legitimate effort, the engine has been used in a number of ways and has a couple of behaviors associated with it that have been suspicious:
- Genieo has been found in fake Flash Player installers and other disguised packages, which is a tell-tale sign of malicious distribution of the software.
- Genieo has not been easy to remove. While the program comes with an uninstaller, using this has proven to be ineffective for clearing the system of installed files.
- Genieo uses unconventional modifications to the operating system to tag its services onto existing applications.
One of the major problems that Genieo faces, is it promises developers a distribution and monetization platform through its sister effort called “InstallMac.” While intended to be somewhat like the Mac App Store in ways, any developer can package their software with InstallMac and get paid for each installation. Therefore, simply by downloading and installing a relatively unknown and un-vetted application, you could have installed the Genieo framework, plug-ins, and applications on your Mac.
This type of activity has been part of many software downloads in the past, where you might have a Web toolbar such as those for Ask.com or Bing.com packaged with programs. One well-known instances of this is Oracle’s popular Java runtime being packaged with the Ask.com toolbar, with this offer being checked for installation by default, causing many to have this toolbar burden their Web experiences.
Detecting Genieo
If you are uncertain whether or not you have Geneio installed on your Mac, then you can check for some of the following behaviors and installed files on your Mac, which if present will indicate its presence:
- “Genieo.app” application in your Applicaitons folder
- Files beginning with “com.genieo…” located in the Macintosh HD > Library > LaunchAgents folder
- A folder called “Genieo” located in the “your home folder” > Library > Application Support folder (to get to this library, hold the Option key and choose Library from the Go menu in the Finder).
- Inability to change your default search engine
- Inability to change your browser’s home page
- The presence of a small house icon in your status menu bar
While some of these symptoms by themselves do not necessarily indicate the presence of Genieo, together they do show the software as being installed.
If you are still uncertain about whether or not Genieo is installed, many anti-malware utilities have adopted malware definitions that identify the Genieo installer and application files, and can at least warn you of their presence.
Removing Genieo
If you suspect the software is installed, then to remove it you should log into an administrative account on your computer and perform the following steps:
- Go to the Applications folder and remove the items “Genieo.app,” “Uninstall Genieo.app,” and “Uninstall UM Completer.app”
- Go to the Macintosh HD > Library > LaunchAgents folder and remove any file beginning with the name “com.genieo…,” which may include the following: com.genieoinnovation.macextension.plist com.genieoinnovation.macextension.client.plist com.genieo.engine.plist
com.genieo.completer.update.plist
- Go to the Macintosh HD > Library > LaunchDaemons folder and again remove any file beginning with the name “com.genieo…” The one in this folder may be called “com.genieoinnovation.macextension.client.plist”
- Go to the Macintosh HD > Library > PrivelegedHelperTools folder and again remove any file beginning with the name “com.genieo…”, which in this case may be “com.genieoinnovation.macextension.client.”
- Go to the Macintosh HD > Library > Frameworks folder and remove the file called “GenieoExtra.framework”
When this is finished, you now have to remove some deeper files and changes made to the system. One of the changes Genieo makes is to modify some of the system launcher’s parameters to allow the appending of dynamic libraries (in essence, executable extensions for a program) to applications you launch on your system. This is done by creating a system launcher configuration file with an custom setting that is read when the system launcher is loaded by the OS X kernel, and which allows for the loading of dynamic libraries along with programs that are launched.
Since a standard OS X installation does not come with any launcher configuration files configured, then unless you have purposefully made one, you can remove any that are present without affecting your Mac:
- In the Finder choose “Go To Folder” from the “Go” menu
- Enter “/etc” in the field that pops up
- Locate the file called “launchd.conf” that is located in the folder that pops up, and move it to the trash
You can optionally save a copy of this file to the desktop, just in case (in rare circumstances) it contains a legitimate modification implemented by another software package you use. The file is just a text file so opening it will not affect the system in any way, so if you open it in TextEdit and only see a single line that reads “setenv DYLD_INSERT_LIBRARIES”, then this can be removed. If there are other lines in the file, then make note of them as they might be related to other software packages you have installed, but keep in mind that the creation of this file and modifications to it are almost never done by legitimate software packages in OS X.
With this configuration file removed, again select “Go To Folder” from the Go menu, and this time enter “/usr/lib” in the field to open this hidden folder. In here, locate and remove the following files (only these), if present: