A cryptocurrency ticker app is installing backdoors onto the devices of unsuspecting Mac users for purposes that are as of yet unclear.
An app advertised as CoinTicker appears to be a legitimate application that could potentially be useful to someone who has invested in cryptocurrencies as it promises to display real-time cryptocurrency prices including those of Bitcoin, Etherium, and Monero, according to a 29 October Malwarebytes blog post.
In the background however, the app is actually downloading and installing the components of the two open-source backdoors: EvilOSX and EggShell. Researchers noted that it isn’t exactly clear how the threat actor intends to use their access. Due to the nature of the app, it is likely the threat actors were setting up to steal cryptocurrency credentials.
At first glance the app appeared to be a supply chain attack as the apps functionality does appear to do as promised.
Upon further inspection, researchers realised the app was most likely never legitimate to begin with.
The app is distributed via a domain named coin-sticker.com and despite the name being similar, researchers referred to the misspelling of the domain name as seeming "awfully sloppy" for a legitimate company to use. The suspicious domain was registered in 13 July, 2018.
Researchers said another interesting aspect of the malware is that it doesn’t require anything beyond normal user permissions and noticeably doesn’t request root permissions.
"Root permissions are not needed," researchers said. "There is often an erroneous over-emphasis on malware’s need for root privileges, but this malware is a perfect demonstration that malware does not need such privileges to have high potential for danger."
As threat actors read the news also, it’s important that anyone who may have downloaded the app immediately delete the app.