CoinTicker Cryptocurrency App Caught Installing Backdoors on macOS
Image Courtesy of Negative Space
  • Security researchers at Malwarebytes have discovered a malware that installs backdoors into macOS systems.
  • CoinTicker is a legitimate app that allows users the ability to monitor cryptocurrency prices.
  • The developers of the app have not yet responded to the controversy.

Security researchers at Malwarebytes have found CoinTicker installing multiple backdoors on macOS systems. CoinTicker was originally developed to let users monitor the prices of cryptocurrency based on market value. It is currently unknown if the developers of the app created the app for malicious purposes or if it was compromised by external sources.

Once installed, the infected CoinTicker app secretly installs two backdoors into macOS systems, allowing attackers the ability to take control of a computer remotely. The trojan was first spotted by Malwarebyte’s forum member named 1vladimir. Upon further investigation, it was revealed that upon execution the malicious app connects to a remote host and downloads a number of python and shell scripts which download and install backdoors when executed.

The trojan downloads custom versions of EggShell and EvilOSX backdoors from a public GitHub repository which has currently been taken down. The scripts install the EggShell backdoor first and create a launch agent which sets up the program to activate its backdoor whenever a user logs in to a Mac device. After the first backdoor is created, the EvilOSX backdoor is created using an obfuscated script.

Code obfuscation is a common trick used by developers to let apps fly under the radar of several security checks that app stores have in place on popular platforms. Recently Google made changes to its policy to prevent any apps with obfuscated code from being published on any of its platforms. It is likely that other software marketplaces like App Store and Microsoft Store will follow suit.

The developers of the app have not yet commented on the issue, and there is no contact information available either which makes the app look suspicious. It is entirely possible that the app was created to distribute the trojan.

What do you think about the infected CoinTicker app? Let us know in the comments below. If you could share the article online, it would also be great so others can find it too. Come chat with us on Facebook and Twitter