Genieo is a adware targeting macOS, first discovered in 2013. Genieo is one of the most widespread adware families ever to target macOS. It installs a browser hijacker that replaces the user's default homepage and search engine with Genieo's own search portal, which injects sponsored results and display ads. Genieo bundles itself with free software installers and uses deceptive install prompts to gain user consent, then installs a persistent LaunchAgent and browser extensions across Safari, Chrome, and Firefox. At its peak, Genieo was detected on more Macs than any other potentially unwanted program. CoreLock detects this threat using CoreLock detects Genieo through behavioral monitoring of browser configuration changes including homepage and search engine modifications, scanning for known Genieo LaunchAgent and LaunchDaemon persistence files, YARA rules matching the GenieoExtra framework binary signatures, and flagging bundled installer packages that contain hidden adware payloads.
Also known as: OSX.Genieo, InstallMac, Genieo Search
Genieo is one of the most widespread adware families ever to target macOS. It installs a browser hijacker that replaces the user's default homepage and search engine with Genieo's own search portal, which injects sponsored results and display ads. Genieo bundles itself with free software installers and uses deceptive install prompts to gain user consent, then installs a persistent LaunchAgent and browser extensions across Safari, Chrome, and Firefox. At its peak, Genieo was detected on more Macs than any other potentially unwanted program.
Bundled with free software installers from third-party download sites like Softonic, CNET Download, and MacUpdate
Deceptive 'custom install' dialogs where Genieo is pre-checked as an optional install that most users overlook
Fake Flash Player and Java update prompts on compromised or ad-supported websites
Direct downloads from genieo.com marketed as a 'personalized homepage' tool
Browser homepage and default search engine changed to Genieo search without your permission
Unfamiliar browser extensions named 'Genieo' or 'InstallMac' appearing in Safari, Chrome, or Firefox
A LaunchAgent plist file at ~/Library/LaunchAgents/com.genieoinnovation.macextension.plist
Increased display ads, pop-ups, and sponsored search results while browsing
Delete the Genieo application from /Applications/Genieo and remove the framework at /Library/Frameworks/GenieoExtra.framework. In Terminal: sudo rm -rf /Applications/Genieo /Library/Frameworks/GenieoExtra.framework
Delete Genieo persistence files: rm ~/Library/LaunchAgents/com.genieoinnovation.macextension.plist and sudo rm /Library/LaunchDaemons/com.genieoinnovation.macextension.client.plist. Also check for com.genieo.engine.plist in both locations.
In Safari: go to Safari > Settings > Extensions and uninstall any Genieo-related extensions. In Chrome: go to chrome://extensions and remove Genieo. In Firefox: go to about:addons and remove any Genieo add-ons.
In each browser, manually reset your homepage and default search engine. Safari: Settings > General > Homepage. Chrome: Settings > Search engine. Firefox: Settings > Search > Default Search Engine.
Delete remaining Genieo files: rm -rf ~/Library/Application\ Support/com.genieoinnovation.Installer and rm -rf ~/Library/Caches/com.genieoinnovation.*. Check /private/etc/launchd.conf for any Genieo entries.
Run a full CoreLock scan to detect any remaining Genieo components, helper processes, or browser modifications that manual removal may have missed.
Always choose 'Custom Install' when installing free software and uncheck any bundled extras
Download software only from the Mac App Store or official developer websites
Never click 'Update Flash Player' or 'Update Java' prompts on websites — update through System Settings only
Use CoreLock to monitor for browser hijacking and unauthorized homepage changes
Real-time Detection
CoreLock detects Genieo through behavioral monitoring of browser configuration changes including homepage and search engine modifications, scanning for known Genieo LaunchAgent and LaunchDaemon persistence files, YARA rules matching the GenieoExtra framework binary signatures, and flagging bundled installer packages that contain hidden adware payloads.
Check which apps have camera access on your Mac and revoke access you didn't approve.
Check which apps have microphone access on your Mac and revoke access you didn't approve.
Check which apps have screen recording on your Mac and revoke access you didn't approve.
The most obvious sign is your browser homepage or search engine being changed to a Genieo search page without your permission. You may also see unfamiliar browser extensions named Genieo or InstallMac, increased pop-up ads, and a process called 'Genieo' or 'GenieoExtra' in Activity Monitor. Check ~/Library/LaunchAgents/ for files containing 'genieoinnovation' in the name.
Genieo is classified as adware and a potentially unwanted program (PUP), not a virus in the traditional sense. However, it behaves aggressively by hijacking browser settings, injecting ads, tracking browsing activity, and resisting removal through persistence mechanisms. Apple added Genieo signatures to XProtect, its built-in malware detection, confirming Apple considers it a genuine threat.
Genieo uses LaunchAgents and LaunchDaemons to automatically reinstall itself on reboot. If you only delete the application without removing the plist files in ~/Library/LaunchAgents/ and /Library/LaunchDaemons/, the persistence mechanism will re-download and reinstall Genieo. You must remove all persistence files and the GenieoExtra framework to fully eliminate it.
While Genieo's primary function is ad injection and search hijacking, its browser extensions can monitor your browsing activity, track search queries, and collect data about visited websites. Some variants have been observed collecting more detailed browsing data than disclosed. It is not a credential stealer like Atomic Stealer, but it does compromise your privacy.
Download CoreLock to detect and remove Genieo and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows