Mac Cryptocurrency Price Tracking App Installs Backdoors to Control Host Computer
A Trojan pretending to be a macOS cryptocurrency ticker called CoinTicker was discovered installing backdoors on the computers of unsuspecting users, Bleeping Computer reported on October 29, 2018.
Mac Cryptocurrency Price Tracker Caught Installing Backdoors
Dozens of cybersecurity publications sounded the alarm over another cryptocurrency malware that was discovered on October 29, after a Malwarebytes forum user reported a trojan.
The Malwarebytes community member 1vladimir reported suspicious behavior by an app called CoinTicker on October 28, saying that the app purports to let users track cryptocurrency prices from within the Mac toolbar, which update automatically.
The news about a potential trojan infiltrating MacOS computers was confirmed in a Malwarebytes blog post by a cybersecurity software developer employed at the site.
“Although this functionality seems to be legitimate, the app is actually up to no good in the background, unbeknownst to the user,” Malwarebytes’ blog post explains, adding that “Without any signs of trouble, such as requests for authentication to root, there’s nothing to suggest to the user that anything is wrong.”
According to Bleeping Computer, when installed, the CoinTicker application allows users to select various cryptocurrencies whose prices they would like to monitor. It will then add a small informational widget to the macOS menu bar as shown below that updates the prices as they change.
No Signs of Malicious Activity
It’s still unknown how many machines have been affected by the newly discovered malware, or when the first computer was infected.
While the app, once downloaded, does not show any signs of malicious activity, further, inspection has been demonstrated that in the background, the application is secretly downloading two backdoors onto the infected mac that allows an attacker to take remote control of the computer.
Malwarebytes’ Director of Mac & Mobile Thomas Reed said that when launched, the app downloads and installs components of two different open-source backdoors: EvilOSX and EggShell. The Github repository where the customized versions of the two backdoors came from has since been taken offline.
It is still not known if the Coin Ticker app was designed purely for malicious purposes or has been compromised by attackers. The app’s website, though, doesn’t have any contact information whatsoever and contains only a download button, which led many users to believe it was a hell made purely for the distribution of the Trojan.
Commenting on the issue, Malwarebytes said that CoinTicker serves as a warning that “nasty things” can be done even without root privileges, as it only required normal user permissions to be installed. They advised their community members to install apps from sources they trust.