A recent trojan designed to steal your Bitcoins has expanded to apps being distributed on Download.com, according to SecureMac. The security research firm also offered manual instructions for removing the malware from your Mac if you've been infected.
The malware has been designated OSX/CoinThief.A, and it was originally distributed through apps on open source developer site GitHub called StealthBit and BitVanity. It has now been found on Download.com through apps called Bitcoin Ticker TTM, and Litecoin Ticker.
As a trojan, the malware relies on tricking the user into installing by hiding behind a seemingly legit app. SecureMac said that the above-listed "apps" were designed to look like real software found on Apple's Mac App Store.
In this case, OSX/CoinThief.A installs a browser extension in Chrome, Safari, and Firefox that "spies on Web traffic to steal Bitcoins." By watching your Web-based traffic, the app looks for Bitcoin-related logins and passwords so that the bad guys can then use those logins to steal your Bitcoins.
It then communicates with a background process called com.google.softwareUpdateAgent, which in turn communicates with a remote server operated by the bad guys.
SecureMac's instructions for detecting the malware:
To check for the presence of the malware on your system:
- Take a screenshot of these instructions or print them out, and disconnect your system from the internet until you've verified that your system is clean.
- Open Activity Monitor (located in your Utilities folder), and look for a process called "com.google.softwareUpdateAgent."
- Note that this is a specific name that is currently known to be used by the malware.
Open Chrome, Safari, and Firefox (if installed on your system), and check for the presence of the "Pop-Up Blocker" extension.
- If you see either the "com.google.softwareUpdateAgent" process or the browser extensions, continue on to the removal instructions.
And, the instructions for removing it:
To manually remove the malware from your system:
Manual removal is going to require entering a few terminal commands. The commands must be entered exactly as they are listed below, so copy and paste them in if need be.
Before entering the terminal commands, delete the apps from your system (BitVanity, StealthBit, Bitcoin Ticker TTM, or Litecoin Ticker) by dragging them to the Trash and emptying the Trash. Make sure to quit the apps before attempting to delete them.
- Open the Terminal (located in your Utilities folder), and type the following command:
- launchctl unload ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist
- Press the return key after entering the command. This command will unload the launchd task, and stop the malware from constantly running in the background If you see a message stating "No such file or directory, nothing found to unload," the launchd task was not loaded on your system.
- Next, you're going to enter a command to unhide the malware file itself, and move it to your Desktop. From there, you will manually drag it to the Trash. This will serve to avoid accidentally removing the wrong file. Type the following command, again pressing the return key after entering the command:
- mv ~/Library/Application Support/.com.google.softwareUpdateAgent ~/Desktop/com.google.softwareUpdateAgent
In the above command, pay close attention – there is a period before the first instance of com.google.softwareUpdateAgent.
- Next, you're going to do the same for the file that starts the launchd task, and move it to the Desktop. Type the following command, again pressing the return key after entering the command:
- mv ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist ~/Desktop/com.google.softwareUpdateAgent.plist
- Drag the com.google.softwareUpdateAgent and com.google.softwareUpdateAgent.plist files that should now be present on your Desktop to the Trash, and empty the Trash.
- Open your web browsers, and delete the "Pop-Up Blocker" extensions.
- Backup your wallet and reinstall Bitcoin-Qt.
- Change your password information for accounts you have on any bitcoin-related websites either from a system that you know is clean, or after you have ensured removal of the malware.
Image made with help from Shutterstock.