New Mac Trojan in the Wild Steals Your Bitcoins

SecureMac announced on Sunday that it found a new Mac trojan in the wild called OSX/CoinThief.A that "spies on Web traffic to steal Bitcoins." By watching your Web-based traffic, the app looks for Bitcoin-related logins and passwords so that the bad guys can then use those logins to steal your Bitcoins.


The malware is being distributed through an open source app called StealthBit, an app that ostensibly generated so-called stealth-addresses, or one-time use addresses for even more anonymous Bitcoin transactions. According to SecureMac, this app was distributed on Github, where the source was made available.

Along with the source, a pre-compiled version of the app was posted that didn't match the source code and included the OSX/CoinThief.A malware. As with all trojans, this malware relied on the user deliberately installing the software and entering their admin credentials to do so.

The app also installs a browser extension called "Pop-Up Blocker" to do its snooping. This innocuously-named extension has an equally innocuous description that says, "Blocks pop-up windows and other annoyances." Both the name and the description are lies, however, as its purpose is to spy on you.

Worse, the malware includes software that runs in the background that looks Bitcoin-related software on your Mac, and it can both send information to a remote server and receive instructions from that server. We've asked SecureMac for the name of this background process, and will update this article when we hear more.