ESET has issued a warning about CoinThief, Mac Malware disguised as cracked versions of top Apps such as Angry Birds and Pixelmator. here is how to remove this malware.
Don't forget to like us on FACEBOOK, thanks so much!
Mac users, or anyone else, should know not to download cracked software from anywhere. In the latest case this is particularly important as a new threat called OSX/CoinThief disguises itself as a pirated version of top Apps and infects Mac OS X platform in a nasty way where it steals user’s login credentials related to several Bitcoin exchanges and wallet sites.
The latest CoinThief version spreads via P2P file-sharing networks, disguised as the following Mac OS X applications.
- Angry Birds – a popular video game that got so many users addicted.
- BBEdit – an OS X text editor.
- Pixelmator – a graphics editor.
- Delicious Library – a media cataloguing application.
CoinThief creators are trying to cash in on the current Bitcoin hype and fluctuating exchange rates by breaking into users’ digital wallets of Mac users who download and install dodgy software from torrent sites. The threat is mostly active amongst Mac users based in the United States, although other countries have been affected as well. SecureMac researchers spotted CoinThief earlier this month when they found it had been distributed via popular download sites such as MacUpdate.com, disguised as infected versions of Bitcoin Ticker TTM (To The Moon), BitVanity, StealthBit and Litecoin Ticker.
How to Detect CoinThief
If you have downloaded and installed any cracked application, you should check whether your Mac has been infected with CoinThief. Follow the steps to find out if your computer has been infected:
- Open Activity Monitor, located in Applications/Utilities, and search for com.google.softwareUpdateAgent inside the list of processes.
- Open all browsers you used recently and check if Pop-Up Blocker has been installed as an extension.
- If the extension is there, or you can see the rogue process in Activity Monitor, you should take the steps to remove CoinThief.
How to Remove CoinThief
Manual removal is the best way to ensure your computer has been entirely cleaned of malware. Reddit user nptacek described steps to remove CoinThief for good.
- If you have BitcoinTicker TTM, BitVanity, Litecoin Ticker, StealthBit or any pirated application installed, delete it from Applications folder and empty the Trash.
- Open Applications/Utilities and open Terminal. Enter the following Terminal commands in the exact order as shown below.
- Type “launchctl unload ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist” without quotation marks and hit the enter/return key. (Note, previous versions of CoinThief use the name “com.google.xupdater,” and “com.google.softwareUpdateAgent” so try that as well in the command above). This will stop the background process that monitors your account credentials and sends them to the malware author(s)’ servers. If you see the message, “No such file or directory, nothing found to unload,” then the background process was not loaded on your computer. Leave Terminal window open as you will need it again in the next step.
- Next we need to unhide the file and move it to the Desktop, so we can drag it to the Trash and safely delete from there. Type the following into Terminal, “mv ~/Library/Application Support/.com.google.softwareUpdateAgent ~/Desktop/com.google.softwareUpdateAgent” (without quotes) and press return/enter. Don’t forget to use “com.google.xupdater” in the command above if needed. The file should be on your Desktop now, so move it to the Trash.
- Now, we have to do the same with file that launches the background process. Still in Terminal, type “mv ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist ~/Desktop/com.google.softwareUpdateAgent.plist” (no quotes) and hit the enter/return key. Once again, use “com.google.xupdater” in the above command, in case you got one of the earlier versions of CoinThief. You should notice the file on your Desktop now, throw it into the trash and empty the Trash.
- Open all your browsers and uninstall Pop-Up Blocker extension. Instructions for Safari, Chrome and Firefox.
- Almost done. If you installed Bitcoin-Qt on your system, back up your Bitcoin wallet and reinstall Bitcoin-Qt.
- Change passwords for any Bitcoin-related websites you use and you’re done. Your system should be free of CoinThief.
To stay on the safe side, avoid torrent sites and any other sites that offer pirated versions of software. It is way cheaper to pay for an official version of the application than to have your virtual wallet emptied by a malware. Similar Trojan appeared few months ago affecting PC users. CryptoLocker asked users of infected computers to pay for their encrypted files using Bitcoins. This type of payment is very risky as Bitcoin is hard to track. Zynga has recently announced plans on accepting Bitcoins as a way of payment with company’s social games which caused controversial feedback. Once user’s Bitcoin wallet has been compromised, there is no way to recover the stole Bitcoins.
Note that official Mac App Store versions are completely safe to download and install. Don’t compromise your entire system by trying to use cracked versions of software, or you could end up like a reddit user who lost around $11,340 due to their computer being infected with CoinThief.
Dolores is SEO and Digital Marketing consultant who has been completely hog-washed into doing this site by KC.