Nasty Mac malware can steal your passwords and credit cards — what to do

macbook broken
(Image credit: Shutterstock)

Cybercriminals are corrupting Mac applications at the source, poisoning otherwise benign open-source projects with malware that contains two previously unseen zero-day exploits. 

When you run the infected apps, they may direct you to dangerous websites, change the addresses on your cryptocurrency wallets, take screenshots of what you're looking at or steal your credit cards.

The malware also replaces Safari with a malicious version of Apple's browser, infects all other major browsers, steals Google, Apple ID and PayPal usernames and passwords, steals data from Skype, Telegram, Evernote and WeChat, and may even install ransomware. 

To protect yourself, make sure you're running some of the best Mac antivirus software, because Apple's built-in defenses may not be able to catch the malware. You also might want to install apps only from Apple's own App Store for the time being.

The antivirus maker Trend Micro, whose researchers discovered the malware, calls it "a rabbit hole of malicious payloads" in a blog post last week.

Browser massacre

Once the malware, which Trend Micro calls XCSSET, is in full force, it profiles the system and infects any versions of the Brave, Firefox, Opera, 360 and Yandex browsers that may be installed. If Google Chrome is installed, the malware replaces it with an older version of Chrome that has weaker security.

That's nothing compared to what it does with Safari, however. The malware downloads and installs a malicious version of Safari and makes sure any internal links to the real Safari go to the fake one instead.

"Functionally, this means that the fake Safari browser runs instead of the legitimate version of Safari," states a Trend Micro white paper on the XCSSET malware.

So far, Trend Micro has seen XCSSET infecting only two Mac open-source projects, one from India and the other from China. It has not seen it infecting any iOS apps, although that would certainly be possible. 

It's happened before

If this sounds familiar, it's happened before. In 2015, a malicious version of Apple's development platform Xcode was distributed in China. The result was that any Mac or iOS apps created with the corrupted version of Xcode were themselves corrupted. Apple swiftly removed the tainted apps from its app stores.

So how is it happening again? This time, the crooks are striking a bit further downstream. Instead of attacking Xcode itself, they're checking online code repositories like GitHub, where dozens or hundreds of developers who don't really know each other can use Xcode to collaborate on a single open-source project.

"Malicious code is injected into local Xcode projects so that when the project is built, the malicious code is run," Trend Micro said. 

Because the unwitting software developers release the applications with their own authorized signatures, the infected apps will not always be stopped by Apple's own built-in security safeguards.

"Methods to verify the distributed file (such as checking hashes) would not help as the developers would be unaware that they are distributing malicious files," Trend Micro added.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.