Dec 11, 2012 10:06 PM
Report: new Mac malware hides as fake software installer
A Russian security firm with a mixed track record is <a href="http://macnn.com/rd/275289==http://news.drweb.com/show/?i=3138" rel='nofollow'>warning</a> about a new malware threat for the Mac, which masquerades as an installer for various types of software. <a href="http://macnn.com/rd/275290==http://drweb.com/" rel='nofollow'>Doctor Web</a>, who claimed to have discovered the malware, says it is widely available on various sites -- though at present it is targeting Russian Mac users. The Trojan is apparently a Mac variation on a widespread Windows and Android trickware ruse that asks users for their cell number in order to send an activation code by SMS.<br><br>According to the report, the <a href="http://macnn.com/rd/275291==http://vms.drweb.com/search/?q=Trojan.SMSSend.3666" rel='nofollow'>Trojan.SMSSend.3666</a> malware can be found in a repackaged installer from legitimate free software offerings, or can have non-functioning code as its payload. What the malware is after is the cell number, which must be entered to receive the "activation code," which is sent by SMS. When the software returns the activation code by SMS, the user is automatically signed up for an ongoing monthly subscription on their cell bill.
The example provided by Doctor Web is an installer for <a href="http://macnn.com/rd/275292==https://itunes.apple.com/us/app/vkmusic/id553114896?mt=12" rel='nofollow'>VKMusic 4 Mac</a>, a legitimate app for listening to music from a Russian social network. It is spread so far primarily by a rogue "affiliate program" company called ZipMonster that assists malware writers in monetizing their software.
Most Mac users will be able to easily avoid falling for the trickware, should it spread to other regions. No legitimate installers for the Mac use the activation-by-SMS scheme in the installer, and most Mac users would know better than to give out their phone number to an untrusted software installer -- though apparently this practice is <a href="http://macnn.com/rd/275293==http://www.electronista.com/articles/12/10/15/loozfon.and.finfisher.cited.as.active.malware.conc erns/" rel='nofollow'>more common</a> in the Android community, where apps can come from many sources other than just Google Play, and there is <a href="http://macnn.com/rd/275294==http://www.droiddog.com/android-blog/2012/12/only-15-percent-of-malware-were-detected-by-androids-malware-scanner/" rel='nofollow'>little screening</a> of apps prior to being published. The installers also seem to refer to the Mac as the MAC, which is a common error made by Windows-centric programmers.
The scheme is unlikely to work with most Mac users regardless of OS version, but in particular is likely to fail under OS X Mountain Lion and Lion, which sets a default <a href="http://macnn.com/rd/275295==http://www.macnn.com/articles/12/09/19/brings.mountain.lion.security.tech.back.to.previou s.os/" rel='nofollow'>Gatekeeper</a> that prevents unsigned code from being executed. Developers must be registered with Apple, which most professional developers are, in order for installers to run in the default security settings. The controls can be overridden or turned off, but programs are also screened by built-in anti-malware software that is quietly updated. It's not known if Apple has taken any steps to detect and automatically protect from Trojan installers like this one.
It can be reasonably expected that the malware makers will also try to perpetrate this scheme in the jailbroken iOS community, since jailbreakers are the only iOS users that can install software from non-Apple sources. Again, however, SMS-based activation is virtually unknown in the iOS world, so it's unlikely the rogue software will gain much of a foothold. In the meantime, however, any software that asks for a cell phone number on installation should be quit and deleted. The genuine VKMusic 4 Mac can be downloaded for free from the service's own <a href="http://macnn.com/rd/275296==http://vk.com/vkmusicmac" rel='nofollow'>website</a>.