A contributor to the Malwarebytes forum, “1vladimir,” has detected back-door-creating malware embedded in a free, downloadable cryptocurrency price-tracking app for Mac called CoinTicker.
“It seems that the app is covertly installing not just one but two different backdoors,” says a Malwarebytes blog post on the matter.
According to Malwarebytes, an anti-virus software maker, this malware is extraordinary because it doesn’t need “root permissions” to damage an infected system. “This malware is a perfect demonstration that malware does not need such privileges to have high potential for danger,” says the company.
The CoinTicker app seems legitimate at first, and, “potentially…useful to someone who has invested in cryptocurrencies. Once downloaded, the app displays an icon in the menu bar that gives information about the current price of Bitcoin.”
The app also provides a menu of cryptocurrency and exchange data that users can select for display- but all that is just a ruse, say investigators:
“Although this functionality seems to be legitimate, the app is actually up to no good in the background, unbeknownst to the user. Without any signs of trouble, such as requests for authentication to root, there’s nothing to suggest to the user that anything is wrong…When launched, however, the app downloads and installs components of two different open-source backdoors: EvilOSX and EggShell.“
Malwarebytes staff checked to see if CoinTicker was itself the victim of a hack, but found the app was probably built for the express purpose of distributing crypto-stealing malware:
“(O)n further inspection, it looks like this app was probably never legitimate to begin with. First, the app is distributed via a domain named coin-sticker.com…Getting the domain name wrong seems awfully sloppy if this were a legitimate app. Adding further suspicion, it seems that this domain was just registered a few months ago on July 13…(As well) Since the malware is distributed through a cryptocurrency app…it seems likely that the malware is meant to gain access to users’ cryptocurrency wallets for the purpose of stealing coins.”
A sparsely-populated Twitter page, “@CoinTickerApp,” hasn’t hosted a new post since April 2018.