Q: What is Genieo and why did it appeared misteriosouly on my MacBook Pro?

I just got a message telling me I needed to download Flash Player. It struck me as unusual, since I just recently downloaded a Flash Player update. When I attempted the download, I found an "Install Genieo" instead of a new Flash Player. I trashed it since I didn't know what it was. Seems phishy to me!

cobushmaster wrote:

 

I just got a message telling me I needed to download Flash Player.

So the first thing you need to ask yourself is, where is this message coming from. In this case it was almost certainly an advertisement you saw in your browser. These need to be almost universally ignored, but if you have any doubts go to either System Preferences->Flash Player and in the Updates section hit the "Check Now" button or go to http://www.adobe.com/software/flash/about/ and find out what version you have and the version you need.

When I attempted the download, I found an "Install Genieo" instead of a new Flash Player.

Lesson 2, never click the download link unless you are on the get.adobe.com web site or from System Preferences, if they ever fix it.

I kept getting flagged by an adobe flash update stating "i need to update to view this website" but it was a site ive used before and never had a problem and I would just close the pop up and go on abck to what I was doing with no problems. So I finally decided to go and download the update so the pop up would leave me alone and instead of adobe appearing it was the genieo zip. I closed before i actually downloaded the application or whatever it really is, but im just giving my two cents saying that it has been masked by other downloads of something actually significant, so that could be how it has been appearing on people's docks

Flash updates will never be advertised by pop ups in your browser. The only time you will be notified of needing an update within your broswer is when your flash is too old to run a certain piece of flash powered content and that content is replaces by an icon linking to Adobe's website (note that it will link you to a website where you get the file. It will not link you to the file itself.)

Flash updates are usually checkable outside of your browser by the method above.

HI Guys,

We do not use false adoby pop ups to install Genieo!!!!

Please send me a pic a link or something to this adobe update that install Geneio.

So that we can investigate this.

I was fortunate enough to have this same thing occur again, and this time (with your post in mind) I took screen shots of the entire process to document it for you and hopefully help you determine why and who is doing this. I've got 4 screenshots here documenting the process, initially I was browsing the website Wowhead.com, and that is the first photo here, what I was doing just prior to this all happening:

[url=http://img706.imageshack.us/i/installgeniosneakattack.jpg/][img=http://img706.imageshack.us/img706/1316/installgeniosneakattack.th.jpg][/url]

Then, this tab popped up:

[url=http://img27.imageshack.us/i/installgeniosneakattack.jpg/][img=http://img27.imageshack.us/img27/1316/installgeniosneakattack.th.jpg][/url]

Upon clicking ok, the only option, it redirects to this page:

[url=http://img716.imageshack.us/i/installgeniosneakattack.jpg/][img=http://img716.imageshack.us/img716/1316/installgeniosneakattack.th.jpg][/url]

Finally, on that previous page, all of the links there ("See details...", "RECOMMENDED DOWNLOAD", and "INSTALL") prompt the immediate download of the file "InstallGenio.dmg" as shown in the fourth and final screenshot here:

[url=http://img827.imageshack.us/i/installgeniosneakattack.jpg/][img=http://img827.imageshack.us/img827/1316/installgeniosneakattack.th.jpg][/url]

I did not choose to open or save the disk image file, so I cannot tell you what happens from there. All I know is at that point I closed the tab and cancelled the download of the file, ending the entire encounter. I hope this helps you determine what is going on here. I know that other people have been getting this identical or nearly identical experience while browsing other websites, so I am sure it's not just "WoWhead.com" to blame.

In response to Gen_'s post, I personally have had legitimate pop-up or redirects to download Adobe Flash updates which were legitimate, bringing me directly to Adobe's website so I was sure it was on the level, and it always has been. Flash has been updated for me several times this way, downloading a .dmg which did indeed install a valid and latest version of Flash for me on my Mac running 10.8.3, so at least sometimes Adobe Flash updates do come this way when viewing a web page requiring a newer version of Flash than one is currently running. Just my personal experience.

Anyway, like I said, I hope this helps. Feel free to post any further questions about my post here, though I've tried to be as thorough as possible in documenting the experience with screen shots.

I apologize for some reason my HTML isn't working properly and my thumbnail photos for links to the actual screenshots failed, and I'm unable to edit my post a second time to try and fix it. In case the links to the photos are a total disaster, here is simply a link to the gallery of the 4 images, they are in chronological order so you can follow along with the description as intended -

http://imageshack.us/g/1/10158991/

Apologies again for making a mess of what should have been a very pretty and organized response!

I managed to grab enough of the URL from one of your screenshots to see the fake Flash alert... thanks for that, I hadn't been able to actually see this in action before. I haven't done much with it yet, but comparing it to the download straight from Genieo's web site shows it is mostly the same. There are just a few differences of a few kilobytes each. It could just be an older version of Genieo, though the version number hasn't been changed. Or it could be that it has malicious modifications that were made by a third party. Impossible to say yet.

Okay, I've had a chance to do a more in-depth analysis. I'm guessing, from what I found, that a Genieo "partner" is doing this in an attempt to get paid (by Genieo) for these installs. I would hope that Genieo is unaware of this and will put an end to it, and have informed them of the issue via e-mail... guess we'll see. The proof is in the pudding, as they say. Here's my full report:

Genieo adware downloaded through fake Flash updates

>>... the “real” Genieo installer (i.e., the one downloaded directly from the Genieo web site)...

Genieo host a genTugM version too, both 'real', unless their site's been compromised.

You say "The “real” Genieo installer does not do the same thing" , but they both seem to contact the same url with an active_partner key - naturally that key differs.

Did installing download codec-m or qtrax ?

Tahnk you.

The pics are realy in bad quallity and its hard to see whats in them.

But, give me a few day to try and reproduce this and I promis to let you all know what we found and what If at all we are doing about this.

In General Gray rectangles without company logo like in your 2nd pic are not to be trusted.

Hi Thomas,

Thanks for your Help and email.

We will contact this partner to resolve this issue ASAP.

Genieo host a genTugM version too, both 'real', unless their site's been compromised.

Where do you see that? The only download I've been able to find directly from the Genieo web site is the one that uses the partner ID "genieo." Of course, there's got to be a way for partners to get a modified copy of the installer for themselves, so I won't be surprised if there's somewhere you can download a copy with the "genTugM" ID (as well as a number of other IDs).

You say "The “real” Genieo installer does not do the same thing" , but they both seem to contact the same url with an active_partner key - naturally that key differs.

Yes, that was my mistake. I was tired when I posted last night, and had been looking at the wrong bit of code. I corrected my article this morning.

Did installing download codec-m or qtrax ?

?

No, it just installs a copy of Genieo customized with the partner ID, so that that partner can get paid by Genieo.

OK, apparently my previous choice for hosting the screenshots decreased their quality or size, so here are what SHOULD be 4 full size, full quality images. I'm really sorry that what should have been so simple has now stretched over 3 posts. See my post from yesterday for the explanation, though the series is pretty self explanatory.

http://i1332.photobucket.com/albums/w601/mikep480/InstallGenioPage1_zps2a5f4488. jpg

http://i1332.photobucket.com/albums/w601/mikep480/InstallGenioPage2_zpsa56f5499. jpg

http://i1332.photobucket.com/albums/w601/mikep480/InstallGenioPage3_zps541e22f7. jpg

http://i1332.photobucket.com/albums/w601/mikep480/InstallGenioPage4_zpsaa70eac6. jpg

I'm not used to hosting images and apparently free hosting sites like to decrease the dimensions of photos but at least these are still high quality so one can download and zoom in on them to see the URLs involved a bit easier.

To insert screenshots here, just click the camera icon in the forum post editor's toolbar, then upload the photos. You can't link to photos on external sites here anymore.

That said, simply clicking the links labeled with "url=" in your first post should go to the imageshack page and allow you to see the images full-size. That's how I got the URL that I did.