The stars of digital currencies continues to suffer when yet another report revealed the increasing Trojan attacks on them. This time, it is the Phony Bitcoin and Litecoin ticker apps that were built and employed on popular sites Download.com and MacUpdate.com, and eventually found to front a Trojan named OSX/CoinThief.
As revealed by the SecureMac lead developer Mr. Nicholas Pracek, the new Trojan variants were planted to maliciously target Mac OS X users. He also revealed the Trojan’s functionality of adding itself as an extension to Firefox. There were also early reports of the same Trojan before, in which it was said to include extensions for Safari and Chrome.
“The two variants seen by SecureMac share the same name and developer information as two apps found in Apple’s Mac App Store. At this time it is unclear what, if any, connection is shared between the apps. Initial analysis of the Mac App Store versions of the apps did not include the malicious payload found in the versions from download.com.” Pracek said.
Meanwhile, no response could be garnered from Download.com and MacUpdate.com.
The websites however pulled down the pages that had download links to Bitcoin and Litecoin Ticker apps, which was already downloaded 57 and 356 times already on Download.com and MacUpdate.com, respectively.
As per the reports, the Trojan CoinThief was designed to monitor traffic and detect the users’ log-in attempts on Mt. Gox and other major Bitcoin exchanges. The extensions used to appear like a pop-up blocker in order to avoid the users’ suspicions. It was first reported on GitHub as StealthBit, an app that was distributed as a Bitcoin payment sender and receiver.
“The remote server of the Trojan was registered in Australia”, said Ptacek. He also raised doubt over the server’s original location.
To contact the reporter of this story: Jonathan Millet at firstname.lastname@example.org