Mac security firm Intego has warned of a spyware application that is installed by a number of freely distributed Mac applications and screensavers found on a variety of websites.
The spyware, classified as OSX/OpinionSpy, performs a number of malicious actions from scanning files to recording user activity, as well as sending information about this activity to remote servers and opening a backdoor on infected Macs.
It claimed that OSX/OpinionSpy is installed by a number of applications and screensavers that are distributed on sites such as MacUpdate, VersionTracker and Softpedia. The spyware itself is not contained in these applications, but is downloaded during the installation process.
The malware is believed to have existed for Windows since 2008 and claims to collect browsing and purchasing information that is used in market reports.
However this performs ‘insidious actions', such as the application: running as root with full rights to access and to change any file on the infected user's computer; opening an HTTP backdoor using port 8254; scanning all accessible volumes; analysing files and packets entering and leaving the infected Mac over a local network; and analysing data coming from and being sent to other computers. This led to Intego classifying it as spyware.
It also claimed that it injects code, without user intervention, into Safari, Firefox and iChat and copies personal data from these applications and regularly sends data, in encrypted form, to a number of servers using ports 80 and 443.
The dangers, according to Intego, are that the application that purports to collect information for marketing reasons does much more, going as far as scanning all the files on an infected Mac.
It said: “Users have no way of knowing exactly what data is collected and sent to remote servers; such data may include user names, passwords, credit card numbers and more. The risk of this data being collected and used without users' permission makes this spyware particularly dangerous to users' privacy.
“The fact that this application collects data in this manner, and that it opens a backdoor, makes it a very serious security threat. In addition, the risk of it collecting sensitive data such as user names, passwords and credit card numbers, makes this a very high-risk spyware. While its distribution is limited, we warn Mac users to pay careful attention to which software they download and install.”
In an update, it said that it had been monitoring the actions of the different versions it has found of this spyware, and discovered that after a certain time, the spyware makes an ‘upgrade' and installs another application. This is another variant of the same spyware, called PermissionResearch, while it is also possible that further versions of this spyware will upgrade themselves to other variants.
Commenting, Veracode vice president EMEA Matt Peachey said: “The reactive security of detecting malware after it has reached a critical mass is a failed model on Windows PCs. Moving the same technology to new platforms such as OSX or mobile as they come under malware attacks will only lead to the same morass of malware.
“A new model of only downloading and installing software that has passed a third party verification is a solution that can keep malware off these platforms.”
Jason Steer, EMEA solution architect at Veracode, also questioned why Mac applications and software development would be any less secure than Windows.
“The state of software report hints that the statistics on open source and commercial applications are both someway short of the mark sadly. I think the story is less about malware and more to do with secure coding and third party clearing houses for applications in future to build trust," he said.