Bitcoin Stealing Mac Malware Spreads to Pirated Versions of Angry Birds

Bitcoin ThiefOSX/CoinThief, a trojan horse designed to steal Bitcoin-related login information from your Mac, has spread to pirated versions of Angry Birds. Originally discovered by SecureMac, security researchers ESET reported on Thursday that the malware has spread to torrented versions of Angry Birds, BBEdit, Pixelmator, and Delicious Library.

There's a bit of irony here in that people who are stealing software are in turn being targeted by Bitcoin thieves. Karma can be a harsh mistress.

OSX/CoinThief is the name given to this malware by SecureMac. It was first distributed as part of apps called Bitcoin Ticker TTM (To The Moon), BitVanity, StealthBit and Litecoin Ticker, and it was later found on and MacUpdate. It's also now being distributed within BitTorrented cracked apps, including the ones listed above.

As a trojan, the malware relies on tricking the user into giving their permission to install it. In the case of these pirated apps, it gets installed at the same time as the pirated app.

OSX/CoinThief then installs browser plugins that watch for Bitcoin-related logins and passwords. Those plugins pass anything they find to a background process that can then send them to a remote server.

SecureMac published instructions for manually identifying whether you've been infected with the malware, and if so, removing it. In addition, MacBooster was recently updated with the ability to remove OSX/CoinThief—please note that I have not personally tested MacBooster.