The intersection of Bitcoin advocates and Mac users may not be enormous, but malefactors saw this small market as an opportunity to make some fast cash. Some Bitcoin tracker apps for Mac have been infected with malware — and until yesterday, you could have found them on the reputable software repositories Download.com and MacUpdate.
According to Mac security site SecureMac, the infected programs include Bitcoin Ticker TTM, BitVanity, StealthBit and Litecoin Ticker (which, as the name suggests, tracks Litecoin rather than Bitcoin). These programs are supposed to track Bitcoin prices and keep a user apprised via a desktop display.
To be fair, the corrupted versions of the apps do what they suggest, but they also install CoinThief, an Internet browser add-on that steals users' credentials whenever they make Bitcoin transactions online. CoinThief hides itself under an unassuming name such as "Pop-up blocker," which can make spotting it tricky.
The fact that these apps are freely available on trustworthy sites such as Download.com and MacUpdate is also a cause for concern. In this case, neither accurately vetted its offerings, but this is hardly the only incident of Download.com spreading dodgy programs. We've recently come across downloads from Download.com that came bundled with the hard-to-shake Conduit adware, which can expose computers to malware and viruses.
Fortunately for Bitcoin enthusiasts with Macs, the CoinThief malware did not get very far. Only a few hundred users downloaded the apps from either site, but at least one Reddit user said he'd lost almost $12,000. Anyone who installed these apps should keep a close eye on their Bitcoin wallets and change whatever relevant login information they can.
In order to remove CoinThief, open up your Internet browser and uninstall any innocuous-sounding extensions that you don't recognize — or just uninstall everything and reinstall your favorites, to be safe. Then, uninstall the Bitcoin ticker program; running a Mac anti-malware program will take care of the rest.
Apple has updated its built-in XProtect software, also known as File Quarantine, to catch CoinThief before it's installed. But because this won't be the last corrupted OS X app, exercise caution about programs from third-party software repositories from now on.
Be sure to decline the installation of any third-party software, and whenever possible, get a program right from the developer's website or from OS X's own App Store.