Bitcoin-stealing Mac malware found on popular download websites


BitcoinResearchers at SecureMac have warned that they have discovered malware that steals Bitcoins which is being distributed via CNet’s popular website and MacUpdate (a rival to the official Mac App Store).

The malware, named OSX/CoinThief, steals information related to users’ Bitcoin wallets and keys, and is said to have been found in trojanised versions of Bitcoin Ticker TTM (To The Moon), BitVanity, StealthBit, and Litecoin Ticker. (Litecoin is an alternative digital currency)

Bitcoin Ticker TTM

CoinThief installs an extension into its victims’ Firefox, Chrome or Safari browsers, monitoring web traffic and attempting to intercept login credentials sent to many of the online Bitcoin exchanges and wallet sites. The information is then sent back to the malware authors via a remote server.

In an attempt to cover up its activity, the browser extensions disguise their true intentions by adopting innocuous names like “Pop-up blocker”, and use generic descriptions such as ““Blocks pop-up windows and other annoyances.”

Because of this, even if you didn’t remember installing the extension, chances are that you wouldn’t necessarily have your alarm raised.

CNet downloadClearly someone was able to dupe MacUpdate and CNet’s into accepting the bogus versions of the software, helping the online criminals to spread the malware to a wider audience.

Hopefully they will be more careful about vetting submissions in future, and will make efforts to confirm that developers and companies submitting software to their libraries are really who they say they are.

Mac users, of course, are something of a soft target as many of them still do not run any form of anti-virus software.

And without decent anti-virus software, what chance would the typical Mac user have against this Bitcoin-stealing malware?

Hang on to your hats everyone. Criminals love to go where the money is. And as more and more people experiment online with Bitcoin purchases, you can be sure that some hackers will be looking long and hard at how they might steal the digital currency away from them.

Tags: , , , , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , , , , ,

One Response

  1. Duped

    October 21, 2015 at 5:47 pm #

    Whoops. I’ve uninstalled this just now. What other actions are required to be safe?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.