Cape Town, 11 Mar 2014
Researchers at ESET Southern Africa, the digital protection provider, have today warned local Mac users against downloading pirated software from file-sharing peer-to-peer (P2P) networks, having discovering Bitcoin-stealing malware disguised as cracked versions of popular apps such as Angry Birds.
Identified as the CoinThief Trojan, the malware infects computers running Mac OS X, stealing a user's login credentials specifically related to various Bitcoin exchanges and wallet sites, by installing malicious browser add-ons.
Lee Bristow, Security Consultant at ESET Southern Africa, commented: "We've seen clear evidence that hackers have specifically created the Trojan to profit from the current Bitcoin craze and the popularity of P2P file sharing. We strongly recommend that local Mac users, and BitCoin owners and buyers, protect their devices with the most up-to-date anti-virus protection possible and avoid downloading pirated software."
CoinThief Trojan, which is predominantly being spread via P2P file-sharing networks, is being disguised as cracked versions of the following popular Mac OS X applications:
* Angry Birds: a game of temperamental avian bombardment
* BBEdit: an OS X specific text editor
* Delicious Library: a media cataloguing application
* Pixelmator: a graphics editor
The malware was first spotted by SecureMac researchers, who found it had been distributed via popular download sites such as Download.com and MacUpdate.com, disguised as Trojanised versions of Bitcoin Ticker TTM (To The Moon), BitVanity, StealthBit and Litecoin Ticker.
Mac users wanting to determine if CoinThief has infected their system, can do so by following SecureMac's five-step instructions for detection:
1. Take a screenshot of these instructions or print them out and disconnect your system from the Internet until you've verified that your system is clean.
2. Open Activity Monitor (located in your Utilities folder) and look for a process called "com.google.softwareUpdateAgent".
3. Note that this is a specific name that is currently known to be used by the malware.
4. Open Chrome, Safari and Firefox (if installed on your system) and check for the presence of the "Pop-Up Blocker" extension.
5. If you see either the "com.google.softwareUpdateAgent" process or the browser extensions, continue to the removal instructions.
Share