Crypto Price Tracker Reportedly Poses Malware
In the latest crypto news, a cryptocurrency ticker application called CoinTicker appears to be installing two backdoors on Apple Macs. The revelation reportedly came as a warning from cybersecurity firm Malwarebytes.
Two Different Pieces Of Malware
The app downloads and installs parts of two different pieces of malware – EvilOSX and EggShell – both of which are backdoor applications that can be used to log keystrokes, steal data or execute certain commands. Malwarebytes director of Mac and Mobile Thomas Reed said that it is possible the malware was designed to steal cryptocurrency keys.
CoinTicker acts as a legitimate application designed to present the price of a selected cryptocurrency on request. The user installing the app can choose between bitcoin, ethereum, monero, zcash and others, according to a screenshot. However, the app also installs EvilOSX and EggShell in the background.
The app does not require root or other elevated permissions, meaning the user likely will not see any sign of infection. It is unclear what specifically the app’s creators want, but Reed noted that “it seems likely that the malware is meant to gain access to users’ cryptocurrency wallets for the purpose of stealing coins.”
The fact that the malware is distributed through a cryptocurrency app supports this theory, he explained. Malwarebytes for Mac now looks for the CoinTicker app, as well as its malware components, he added.
Unknown Motivation
“Although it’s unknown exactly what goal the hacker behind this malware had in mind, both EggShell and EvilOSX are broad-spectrum backdoors that can be used for a variety of purposes. Since the malware is distributed through a cryptocurrency app, however, it seems likely that the malware is meant to gain access to users’ cryptocurrency wallets for the purpose of stealing coins.”
Malwarebytes says that CoinTicker serves as a warning that nasty things can be done without root privileges.
“One interesting note about this malware is that none of it requires anything other than normal user permissions. Root permissions are not needed. There is often an erroneous over-emphasis on malware’s need for root privileges, but this malware is a perfect demonstration that malware does not need such privileges to have high potential for danger.”
Interestingly, the discovery of the support malware was courtesy of a forum member. Basically, the latter was able to spot suspicious behavior and informed Malwarebytes about it. This prompted the company to take actions and warn CoinTicker.