There’s a new piece of Mac malware that can spy on your web browser to steal your bitcoins.
The trojan, which was discovered by SecureMac on Sunday, is disguised as a downloadable Bitcoin app called “StealthBit,” which says it can send and receive anonymous bitcoin payments. The trojan horse is named “OSX/CoinThief.A.”
The malware’s author may be connected to reddit user “trevorscool,” who advertised StealthBit on reddit on February 1. That username is similar to the one used to upload StealthBit to GitHub—”Thomasrevor.” (At the time of this writing, the GitHub account for “Thomasrevor” has been deleted—but here’s a web cache from Google.) This same user advertised a similar Mac app called “BitVanity” in 2013, which also reportedly emptied out bitcoin wallets. According to more Google web caches, “trevorscool” has also been deleting old posts that invite people to download and use his new Bitcoin apps.
I’ve reached out to this individual and will update this story if we get a response.
A number of users have already reported infected systems. Over the weekend, one Reddit user claimed to lose 20 Bitcoins (worth upward of $12,000 at the time of writing) as a result of the “Coin Thief” trojan embedded in StealthBit.
The StealthBit app was first posted on the open-source repository GitHub, but the precompiled version of the app contained a malicious payload. When users download the app, the trojan quietly installs extensions into the Google Chrome or Safari web browsers (we’ve inquired about Mozilla’s Firefox), and then sifts through those browsers looking for login credentials for Bitcoin-related websites like Mt. Gox, BTC-e, and Blockchain. Once the “StealthBit” app finds a set of login credentials, it sends that information back to remote servers owned by the malware’s developer.
The data that’s sent back to the developer’s remote servers isn’t limited to Bitcoin login information, however. The usernames and unique identifiers (UUIDs) for infected Macs are also transmitted to the servers, in addition to any Bitcoin-related apps already installed on the system.
If you’ve already downloaded the StealthBit app, it’s important to isolate the extensions that spy on your browser’s activity to prevent data theft or loss. The author of this malware gave the extensions the name “Pop-Up Blocker,” with the description “Blocks pop-up windows and other annoyances.” If you find these files on your browser, delete them, and report the issue directly to Apple.
Speaking of Apple, we’ve reached out to the company to see if they’re aware of the reported trojan horse, and what steps the company is taking to solve this issue, and we’ll update the story as soon as we learn more.
Although OS X has long had a reputation as a secure platform, malware and adware attacks that target it have been on the rise over the last two years. In April 2012, more than 600,000 Mac computers were affected by the Flashback Trojan, which exploited several vulnerabilities in Java to similarly install itself onto user’s browsers without any action on the user’s part.
Last March, a piece of adware called the Yontoo Trojan was found installing itself directly onto users’ browsers as a plug-in, embedding third-party code onto any pages viewed by those users.