A Trojan pretending to be a macOS cryptocurrency ticker called CoinTicker was discovered by installing backdoors on unsuspecting users' computers, Bleeping Computer reported on October 29, 2018.
Cryptocurrency price tracker for Mac Captured backdoor installation
Dozens of publications on cyber security have raised the alarm on another cryptocurrency malware that was discovered on October 29, after a Malwarebytes forum user reported a trojan.
The member of the Malwarebytes community 1vladimir reported suspicious behavior by an app called CoinTicker on October 28, saying that the application claims to allow users to monitor the prices of cryptocurrency from the Mac toolbar, which automatically updates itself.
The news about a potential Trojan infiltrating Mac OS the computers were confirmed in a Malwarebytes blog post by a computer security software developer employed on the site.
"Although this feature seems to be legitimate, the app is not really good in the background, without the user's knowledge," explains Malwarebytes blog post, adding that "Without any sign of problems, like authentication requests to root, there is nothing to suggest to the user that something is wrong. "
Second Bleeping Computer, when installed, CoinTicker application allows users to select various cryptocurrencies for which they would like to monitor prices. It will then add a small informative widget to the macOS menu bar as shown below, which updates the prices as they change.
No sign of harmful activity
It is not yet known how many machines have suffered the newly discovered malware or when the first computer has been infected.
While the app, once downloaded, does not show any sign of malicious activity, it has also been shown that, in the background, the application is secretly downloading two backdoors on the infected Mac that allows an attacker to assume remote control of the computer.
The director of Mac & Mobile of Malwarebytes, Thomas Reed He said that at the time of launch, the app downloads and installs components of two different open-source backdoor: EvilOSX and EggShell. The Github repository from which the customized versions of the two backdoors come are taken offline.
It is not yet known whether the Coin Ticker app was designed solely for malicious purposes or was compromised by attackers. The app's website, however, has no contact information and contains only one download button, which has led many users to believe it was a hell created exclusively for Trojan distribution.
Commenting on the problem, Malwarebytes said that CoinTicker acts as a warning that "bad things" can be done even without root privileges, as it only requires the user's normal permission to be installed. They advised their community members to install apps from sources they trust.