Mac users targeted by malware disguised as Angry Birds, other popular apps

Issued by ESET Southern Africa
Cape Town, 11 Mar 2014

Lee Bristow, Security Consultant at ESET Southern Africa

Researchers at ESET Southern Africa, the digital protection provider, have today warned local Mac users against downloading pirated software from file-sharing peer-to-peer (P2P) networks, having discovering Bitcoin-stealing malware disguised as cracked versions of popular apps such as Angry Birds.

Identified as the CoinThief Trojan, the malware infects computers running Mac OS X, stealing a user's login credentials specifically related to various Bitcoin exchanges and wallet sites, by installing malicious browser add-ons.

Lee Bristow, Security Consultant at ESET Southern Africa, commented: "We've seen clear evidence that hackers have specifically created the Trojan to profit from the current Bitcoin craze and the popularity of P2P file sharing. We strongly recommend that local Mac users, and BitCoin owners and buyers, protect their devices with the most up-to-date anti-virus protection possible and avoid downloading pirated software."

CoinThief Trojan, which is predominantly being spread via P2P file-sharing networks, is being disguised as cracked versions of the following popular Mac OS X applications:

* Angry Birds: a game of temperamental avian bombardment
* BBEdit: an OS X specific text editor
* Delicious Library: a media cataloguing application
* Pixelmator: a graphics editor

The malware was first spotted by SecureMac researchers, who found it had been distributed via popular download sites such as Download.com and MacUpdate.com, disguised as Trojanised versions of Bitcoin Ticker TTM (To The Moon), BitVanity, StealthBit and Litecoin Ticker.

Mac users wanting to determine if CoinThief has infected their system, can do so by following SecureMac's five-step instructions for detection:

1. Take a screenshot of these instructions or print them out and disconnect your system from the Internet until you've verified that your system is clean.
2. Open Activity Monitor (located in your Utilities folder) and look for a process called "com.google.softwareUpdateAgent".
3. Note that this is a specific name that is currently known to be used by the malware.
4. Open Chrome, Safari and Firefox (if installed on your system) and check for the presence of the "Pop-Up Blocker" extension.
5. If you see either the "com.google.softwareUpdateAgent" process or the browser extensions, continue to the removal instructions.

ESET

ESET, the pioneer of proactive protection and the maker of the award-winning ESET NOD32 technology, is a global provider of security solutions for businesses and consumers. For over 26 years, the company continues to lead the industry in proactive threat detection. By obtaining the 80th VB100 award in June 2013, ESET NOD32 technology holds the record number of Virus Bulletin "VB100" awards, and has never missed a single "In-the-Wild" worm or virus since the inception of testing in 1998. In addition, ESET NOD32 technology holds the longest consecutive string of the VB100 awards of any AV vendor. ESET has also received a number of accolades from AV-Comparatives, AV-TEST and other testing organisations and reviews. ESET NOD32 Antivirus, ESET Smart Security, ESET Cyber Security (solution for Mac), ESET Mobile Security and IT Security for Business are trusted by millions of global users and are among the most recommended security solutions in the world.

The company has global headquarters in Bratislava (Slovakia), with regional distribution centres in San Diego (US), Buenos Aires (Argentina), and Singapore; with offices in Jena (Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET has malware research centres in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Kosice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries. The ESET Southern Africa head office is situated in Cape Town. www.eset.co.za.

Editorial contacts