MacNN | Report: new Mac malware hides as fake software installer
Mac News Network View: Standard | Headlines | Categorized | Slim
Mac News Network
Mac News iPod News Reviews Forums
 

Desktop Headlines
Report: new Mac malware hides as fake software installer
Wednesday, December 12, 2012 @ 1:50am

A Russian security firm with a mixed track record is warning about a new malware threat for the Mac, which masquerades as an installer for various types of software. Doctor Web, who claimed to have discovered the malware, says it is widely available on various sites -- though at present it is targeting Russian Mac users. The Trojan is apparently a Mac variation on a widespread Windows and Android trickware ruse that asks users for their cell number in order to send an activation code by SMS.



According to the report, the Trojan.SMSSend.3666 malware can be found in a repackaged installer from legitimate free software offerings, or can have non-functioning code as its payload. What the malware is after is the cell number, which must be entered to receive the "activation code," which is sent by SMS. When the software returns the activation code by SMS, the user is automatically signed up for an ongoing monthly subscription on their cell bill. The example provided by Doctor Web is an installer for VKMusic 4 Mac, a legitimate app for listening to music from a Russian social network. It is spread so far primarily by a rogue "affiliate program" company called ZipMonster that assists malware writers in monetizing their software. Most Mac users will be able to easily avoid falling for the trickware, should it spread to other regions. No legitimate installers for the Mac use the activation-by-SMS scheme in the installer, and most Mac users would know better than to give out their phone number to an untrusted software installer -- though apparently this practice is more common in the Android community, where apps can come from many sources other than just Google Play, and there is little screening of apps prior to being published. The installers also seem to refer to the Mac as the MAC, which is a common error made by Windows-centric programmers. The scheme is unlikely to work with most Mac users regardless of OS version, but in particular is likely to fail under OS X Mountain Lion and Lion, which sets a default Gatekeeper that prevents unsigned code from being executed. Developers must be registered with Apple, which most professional developers are, in order for installers to run in the default security settings. The controls can be overridden or turned off, but programs are also screened by built-in anti-malware software that is quietly updated. It's not known if Apple has taken any steps to detect and automatically protect from Trojan installers like this one. It can be reasonably expected that the malware makers will also try to perpetrate this scheme in the jailbroken iOS community, since jailbreakers are the only iOS users that can install software from non-Apple sources. Again, however, SMS-based activation is virtually unknown in the iOS world, so it's unlikely the rogue software will gain much of a foothold. In the meantime, however, any software that asks for a cell phone number on installation should be quit and deleted. The genuine VKMusic 4 Mac can be downloaded for free from the service's own website.

Comments on this Article
Print Friendly Version
Email to a Friend
Add MacNN to Your RSS Feeds
Buy from the Apple Store


Related Stories:

Most Recent Stories:

  • Yosemite adoption outpacing last year's Mavericks, now at 12.8 percent - 9:45 PM EST
  • Memo shows Rite-Aid's disabling of Apple Pay, NFC systems deliberate - 7:16 PM EST
  • Sprint adds 12-month option to 'iPhone for Life' leasing plan - 4:58 PM EST
  • Apple submits revised plans for Phase 2 of new Cupertino campus - 4:51 PM EST
  • Friday Deals: iOS Grand Theft Auto, 240GB SSD, 1TB external, more - 4:25 PM EST
  • AT&T locking Apple SIMs in new iPad models, buyers complain - 3:52 PM EST
  • Forums: Yosemite is a big win (or fail depending on who you ask) - 3:46 PM EST

    Today's iPodNN Stories:
  • MetroPCS adds data plans for tablets, sells Alcatel Onetouch Pop 7 - 3:21 PM EST
  • Ransomware found on online advertising networks used by major sites - 11:41 AM EST
  • Sprint increases Family Share Pack range with 1GB plan for $20 - 8:08 AM EST
  • Briefly: More Inbox invitations sent, LG G Watch R rollout details - 7:04 AM EST
  • LG reveals Nuclun octa-core processor, confirms G3 Screen smartphone - 6:32 AM EST
  • No comments posted on this story yet. Please post yours.
    Your Comments
    In order to post comments, you must be a registered member of the MacNN Forums and logged in. Please login with your MacNN Forums username and password.

    MacNN Forums Login:

    MacNN Forums Password:

    Not a member of the MacNN forums? Register now for free.