The Cointicker App for Mac has been discovered to install a pair of malware backdoor apps, in addition to the same application per se. This was found by The team of Malwarebytes Labs team that inquired after detecting a strange behavior of the app in the background. the application functionality is not affected by this fat, nut in the background many things are happening.
Discovered in October 2018 by Malwarebytes community member 1vladmir, CoinTicker is a macOS malware that masquerades as a fully functional and fully customizable cryptocurrency price-monitoring application. It displays up-to-date cryptocurrency prices to users through a. With CoinTicker you always have the latest prices from CoinMarketCap of your cryptocurrencies on your wrist. Currently, the app supports: Bitcoin (BTC) Ethereum (ETH) Litecoin (LTC) Bitcoin Cash (BCH) Ripple (XRP) Status (SNT) IOTA (MIOTA) Cardano (ADA) NEO (NEO) NEM (XEM) Stellar (XLM) EOS (EOS) DASH (DASH) Monero (XMR) Tron (TRX) Bitcoin Gold (BTG) Ethereum Classic (ETC). Playing tambola or housie or Bingo, one person has to dedicated to pick coin and call it, now you can use this app to pick coin and call it. Features: - 2 modes, manual or auto - auto mode, next coin calling automatically - auto mode, you can adjust time for calling new coin - manual mode, simple touch on number to call next coin - hide board to show number in big size - design to have all.
The Cointicker App
Cointicker apps are very popular in the cryptocurrency world. These are apps that let you follow the price of your favorite cryptocurrencies to know the price of the asset at the moment, and act accordingly.
Anyone that has invested in cryptocurrencies has stood worried or glad against a monitor of a PC installed with one of these apps, or directly from an exchange on the internet. The Cointicker App for Mac replicates this functionality, but it brings worries not because of the prices, but because of what lies beneath.
A user on Malwarebytes Lab forum found that the application had a quirky behavior behind the scenes and start investigating it. He found that the application, while being indeed legit on its functionality, also installed two malware applications that opened backdoors to the infected computers.
Cointicker Malware
The application was found to install two known malware backdoors along with its setup: EggShell and EvilOSX. Eggshell is a very dangerous surveillance tool that allows the attacker to take control of the infected computer in very invasive ways: it lets you have control and access to the user filesystem, mics, keyboard strokes, and even his camera.
EvilOSX is also a tool in the same vein that EggShell, with the difference that this malware includes as a feature security prompts to acquire quickly the user root password, and also uploading and downloading files from the infected host.
The fact that this app installs not one, but two remote administration tools, talks about the virulence of the intended attack. Hackers also attacked with social engineering by distributing this malware with a cryptocurrency app.
Working For Profits
It is clear that the objective of embedding this two malware apps with the Cointicker App for Mac was to position them on computers of cryptocurrency enthusiasts that are probably invested on cryptocurrencies, who are more incentivized to download this app due to its provided functionality.
Then when these users would access their wallets, the hackers would copy their keys to then access their accounts and take their cryptocurrencies away. The app has already been marked as malware, but there is no way of knowing how many people were affected by this.
CoinTicker, a Mac app that displays the current price of Bitcoin and other cryptocurrencies in your menu bar, has been found two contain two separate pieces of malware …
Malwarebytes shared the news on its blog, after one of its forum members spotted suspicious behavior.
The CoinTicker app is covertly installing not just one but two different backdoors.
Without any signs of trouble, such as requests for authentication to root, there’s nothing to suggest to the user that anything is wrong.
When launched, however, the app downloads and installs components of two different open-source backdoors: EvilOSX and EggShell.
The app executes [a] shell command to download a custom-compiled version of the EggShell server for macOS.
Analysis of the malware doesn’t reveal exactly what it is up to – it essentially creates backdoors that can be exploited in a wide range of different ways – the company thinks the goal isn’t hard to guess.
Although it’s unknown exactly what goal the hacker behind this malware had in mind, both EggShell and EvilOSX are broad-spectrum backdoors that can be used for a variety of purposes. Since the malware is distributed through a cryptocurrency app, however, it seems likely that the malware is meant to gain access to users’ cryptocurrency wallets for the purpose of stealing coins.
At first, this looked like it could have been a supply chain attack, in which a legitimate app’s website is hacked to distribute a malicious version of the app […] However, on further inspection, it looks like this app was probably never legitimate to begin with. First, the app is distributed via a domain named coin-sticker.com. This is close to, but not quite the same as, the name of the app. Getting the domain name wrong seems awfully sloppy if this were a legitimate app. Adding further suspicion, it seems that this domain was just registered a few months ago on July 13.
Malwarebytes says that CoinTicker serves as a warning that nasty things can be done without root privileges.
One interesting note about this malware is that none of it requires anything other than normal user permissions. Root permissions are not needed. There is often an erroneous over-emphasis on malware’s need for root privileges, but this malware is a perfect demonstration that malware does not need such privileges to have high potential for danger.
As always, the advice remains to only install apps from sources you trust.
Coin Ticker Symbol
Via TNW. Image: Shutterstock.
Bitcoin Real Time Data
FTC: We use income earning auto affiliate links.More.