In a blog post published this week, anti-virus software MalwareBytes explained that they have identified a new virus. The virus, uncovered by a member of their support forums, was found after the user discovered a cryptocurrency ticker app that was acting oddly.
The app, named CoinTicker, looks like any regular application. When activated, the app prints recent cryptocurrency prices on the user’s menu bar. It even allows users to choose between different altcoins and exchange. In addition, this app was for Mac operating systems only, which are supposed to be “immune” to viruses. Both these factors led users to believe that the application is completely legitimate.
Under the hood, things are not what they seem. The app actually installs two open-source backdoors, named EvilOSX and EggShell.
MalwareBytes explained the implications of this app:
Although it’s unknown exactly what goal the hacker behind this malware had in mind, both EggShell and EvilOSX are broad-spectrum backdoors that can be used for a variety of purposes. Since the malware is distributed through a cryptocurrency app, however, it seems likely that the malware is meant to gain access to users’ cryptocurrency wallets for the purpose of stealing coins.
MalwareBytes continued to explain that, “it looks like this app was probably never legitimate to begin with.”
Their evidence is simple: although the app looks normal, the app’s website is not. First, the app is hosted on the domain name: coin-sticker.com. If this app was legitimate, it would have liekly actually used the app’s name in the URL – CoinTicker.
The second piece of evidence is that the app is free. Users can download the app without paying, straight from the website. “There’s no such thing as a free lunch,” and this case is no exception. The users of the app have to pay somehow, and with CoinTicker, it’s with their cryptocurrencies. If the users had any cryptocurrencies stored on their computer, it’s possible they would’ve been taken by the virus.
This story shows the importance of safe cryptocurrency storage. Even if the virus was able to gain access of the user’s computer, it’s unlikely that the hackers were able to access currencies stored on a cold storage device.