CoinTicker, an app for Mac that shows the current price of Bitcoin and other cryptocurrencies in the menu bar, has been found to contain two separate parts of malware …
NordVPN
Malwarebytes shared the news on her blog after one of her forum members noticed suspicious behavior.
The CoinTicker app is secretly installing not only one but two different backdoors.
Without any sign of problems, such as authentication requests for the root, there is nothing to suggest to the user that something is wrong.
When launched, however, the app downloads and installs components from two different open source backdoors: EvilOSX and EggShell.
The app is executed [a] shell command to download a customized version of the EggShell server for macOS.
The analysis of the malware does not reveal exactly what it is used for – essentially creates backdoors that can be exploited in a wide range of different ways – the company believes that the goal is not difficult to guess.
Even if you do not know exactly what goal the hacker behind this malware had in mind, both EggShell and EvilOSX are broad-spectrum backdoors that can be used for a variety of purposes. Since malware is distributed through a cryptocurrency app, however, it seems likely that malware is intended to access users' cryptocurrency portfolios in order to steal coins.
Initially, this seemed to have been a supply chain attack, in which a legitimate app website was being hacked to distribute a malicious version of the app […] However, at a further inspection, it seems that probably this app has never been legitimate at the beginning. First, the app is distributed via a domain called coin-sticker.com. This is close, but not quite the same, to the app name. Getting the wrong domain name looks terribly sloppy if it were a legitimate app. Adding further suspicions, it seems that this domain was just registered a few months ago on July 13th.
Malwarebytes says that CoinTicker acts as a warning that bad things can be done without root privileges.
An interesting note about this malware is that none of these requires anything other than the normal permissions of the user. Root permissions are not required. Often there is an excessive emphasis on the need for root privilege malware, but this malware is the perfect demonstration that malware does not need such privileges to have a high potential for danger.
As always, it remains only the advice to install apps from trusted sources.
Via TNW. Image: Shutterstock.
Take a look at 9to5Mac on YouTube for more news on Apple: