CoinTicker, a Mac app that displays the current price of Bitcoin and other cryptocurrencies in your menu bar, has been found two contain two separate pieces of malware …
Malwarebytes shared the news on its blog, after one of its forum members spotted suspicious behavior.
Analysis of the malware doesn’t reveal exactly what it is up to – it essentially creates backdoors that can be exploited in a wide range of different ways – the company thinks the goal isn’t hard to guess.
Without any signs of trouble, such as requests for authentication to root, there’s nothing to suggest to the user that anything is wrong.
When launched, however, the app downloads and installs components of two different open-source backdoors: EvilOSX and EggShell.
The app executes [a] shell command to download a custom-compiled version of the EggShell server for macOS.
Malwarebytes says that CoinTicker serves as a warning that nasty things can be done without root privileges.
At first, this looked like it could have been a supply chain attack, in which a legitimate app’s website is hacked to distribute a malicious version of the app […] However, on further inspection, it looks like this app was probably never legitimate to begin with. First, the app is distributed via a domain named coin-sticker.com. This is close to, but not quite the same as, the name of the app. Getting the domain name wrong seems awfully sloppy if this were a legitimate app. Adding further suspicion, it seems that this domain was just registered a few months ago on July 13.
As always, the advice remains to only install apps from sources you trust.
Via TNW. Image: Shutterstock.
