MacNN Forums (http://forums.macnn.com/)
-   Mac News (http://forums.macnn.com/mac-news/)
-   -   Report: new Mac malware hides as fake software installer (http://forums.macnn.com/112/mac-news/495911/report-new-mac-malware-hides-fake/)

 
NewsPoster Dec 11, 2012 10:06 PM
Report: new Mac malware hides as fake software installer
A Russian security firm with a mixed track record is <a href="http://macnn.com/rd/275289==http://news.drweb.com/show/?i=3138" rel='nofollow'>warning</a> about a new malware threat for the Mac, which masquerades as an installer for various types of software. <a href="http://macnn.com/rd/275290==http://drweb.com/" rel='nofollow'>Doctor Web</a>, who claimed to have discovered the malware, says it is widely available on various sites -- though at present it is targeting Russian Mac users. The Trojan is apparently a Mac variation on a widespread Windows and Android trickware ruse that asks users for their cell number in order to send an activation code by SMS.<br><br>According to the report, the <a href="http://macnn.com/rd/275291==http://vms.drweb.com/search/?q=Trojan.SMSSend.3666" rel='nofollow'>Trojan.SMSSend.3666</a> malware can be found in a repackaged installer from legitimate free software offerings, or can have non-functioning code as its payload. What the malware is after is the cell number, which must be entered to receive the "activation code," which is sent by SMS. When the software returns the activation code by SMS, the user is automatically signed up for an ongoing monthly subscription on their cell bill.

The example provided by Doctor Web is an installer for <a href="http://macnn.com/rd/275292==https://itunes.apple.com/us/app/vkmusic/id553114896?mt=12" rel='nofollow'>VKMusic 4 Mac</a>, a legitimate app for listening to music from a Russian social network. It is spread so far primarily by a rogue "affiliate program" company called ZipMonster that assists malware writers in monetizing their software.

Most Mac users will be able to easily avoid falling for the trickware, should it spread to other regions. No legitimate installers for the Mac use the activation-by-SMS scheme in the installer, and most Mac users would know better than to give out their phone number to an untrusted software installer -- though apparently this practice is <a href="http://macnn.com/rd/275293==http://www.electronista.com/articles/12/10/15/loozfon.and.finfisher.cited.as.active.malware.conc erns/" rel='nofollow'>more common</a> in the Android community, where apps can come from many sources other than just Google Play, and there is <a href="http://macnn.com/rd/275294==http://www.droiddog.com/android-blog/2012/12/only-15-percent-of-malware-were-detected-by-androids-malware-scanner/" rel='nofollow'>little screening</a> of apps prior to being published. The installers also seem to refer to the Mac as the MAC, which is a common error made by Windows-centric programmers.

The scheme is unlikely to work with most Mac users regardless of OS version, but in particular is likely to fail under OS X Mountain Lion and Lion, which sets a default <a href="http://macnn.com/rd/275295==http://www.macnn.com/articles/12/09/19/brings.mountain.lion.security.tech.back.to.previou s.os/" rel='nofollow'>Gatekeeper</a> that prevents unsigned code from being executed. Developers must be registered with Apple, which most professional developers are, in order for installers to run in the default security settings. The controls can be overridden or turned off, but programs are also screened by built-in anti-malware software that is quietly updated. It's not known if Apple has taken any steps to detect and automatically protect from Trojan installers like this one.

It can be reasonably expected that the malware makers will also try to perpetrate this scheme in the jailbroken iOS community, since jailbreakers are the only iOS users that can install software from non-Apple sources. Again, however, SMS-based activation is virtually unknown in the iOS world, so it's unlikely the rogue software will gain much of a foothold. In the meantime, however, any software that asks for a cell phone number on installation should be quit and deleted. The genuine VKMusic 4 Mac can be downloaded for free from the service's own <a href="http://macnn.com/rd/275296==http://vk.com/vkmusicmac" rel='nofollow'>website</a>.
 
simdude Dec 12, 2012 07:50 AM
Have there been any cases of a virus/malware etc. in software distributed from the Mac App store? If not, it seems Apple has this problem under control for now, not that it ever turning into a huge problem in OS X anyway. For that matter, have there been any cases of issues in iOS if the devices were not jailbroken?
 
msuper69 Dec 12, 2012 12:38 PM
Another social engineering attempt.
They'll catch a few ignorants no doubt.
 
Charles Martin Dec 12, 2012 12:51 PM
Quote, Originally Posted by simdude (Post 4206309)
Have there been any cases of a virus/malware etc. in software distributed from the Mac App store?
No, but the Mac App Store is not the only point of software distribution.

Quote
If not, it seems Apple has this problem under control for now, not that it ever turning into a huge problem in OS X anyway. For that matter, have there been any cases of issues in iOS if the devices were not jailbroken?
Not that I know of -- but the point is that this malware can hide in ANY installer, since it is a repackaged version of the installer for a legitimate app. For now it seems like it's a Russian thing, but it could spread. IMO there's little chance of it getting anywhere here, but that's in part due to stories like this that give us a heads-up and allow us to be vigilant. And while I would think most of the people who read this site would never fall for such an obvious ploy, we're by and large not typical users.
 
simdude Dec 13, 2012 06:47 AM
Quote, Originally Posted by chas_m (Post 4206403)
No, but the Mac App Store is not the only point of software distribution.
.
That was sort of the point I'm making though. If you stick with a trusted distributor, there hasn't been a problem to date. I'm well aware of the arguments against the app store. "they restrict my device", "They take 30% of the price" yadda yadda yadda. They also provide a massive market to an app, handle secure credit card transactions and keep and maintain the servers to distribute the apps. If people still don't want to use the store, you download at your own risk.

That being said, I probably have about 5 apps I have had to download directly because the developers are not on the app store. I have contacted the developers indicating I would much prefer an app store version. I have even repurchased a few apps I already owned to get the app store version. I like the one source for keep track of all my updates etc. There's a huge value in that. I spend my working day writing software for linux machines for internal engineering use so I don't have a problem with the technical issues of dealing with maintaining a system at home. I simply don't want to. I want my home computer to require as little work and maintenance as possible. I use to love playing with and hacking computers but nowadays, spending time with my wife and little daughter is much more fun. :)
 
Spheric Harlot Dec 13, 2012 11:02 AM
Note that the 30% cut is a *terrific* deal for smaller development houses, in exchange for international distribution, dealing with any and all local sales taxes, accounting, distribution, legal requirements, etc. etc. etc.
 
Spheric Harlot Dec 13, 2012 11:03 AM
Also, OS X's built-in malware recognition scanner has been updated to make this particular one obsolete.
 
All times are GMT -4. The time now is 06:13 AM.

Copyright © 2005-2007 MacNN. All rights reserved.
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2016, vBulletin Solutions, Inc.


Content Relevant URLs by vBSEO 3.3.2