Beware of Trojans posing as legitimate Mac apps

The Apple Mac is is a fairly secure operating system and it is hard to create malware like a virus that automatically installs without your knowledge. Malware authors are fully aware of this and they use a different tactic to get their malicious software onto your computer. They trick you into installing it or they disguise it as legitimate software. You may think that you are installing a well known application and because of this you might even enter your administrator password when prompted during the setup, but you end up with an infected Mac. The app you wanted installs, but it has an unwanted payload.

DevilRobber, or Backdoor:OSX/DevilRobber.A to give it its full name, installs applications related to Bitcoin mining. (Bitcoin is an online digital currency used to buy goods or services in some parts of the world). The malware opens various ports to allow communications over the internet and someone or some app could remotely execute commands on your Mac. DevilRobber can access your keychain stored on the Mac where all your passwords are held, your Safari web browsing history, your IP address, it takes screenshots, it accesses 1Password (a password manager) if you have it, and more.

So how do you get infected? From legitimate applications like PixelMator, Graphic Converter and others. It was discovered that the original applications had been modified and the malware hidden inside them. When you install these apps they install the malware too.

Before you start panicing, I must point out that these apps came from The Pirate Bay, a website notorious for pirated illegal software. The malware author must have got the original software, which is clean, added his own code, and uploaded it to The Pirate Bay. It is a tempting download. Even if you don't use The Pirate Bay or other dodgy websites yourself, your mates might if if they then pass on the app to you, you can become infected.

This emphasises the importance of getting your software only from trusted sources and this means the Mac App Store, direct from the software developer's website, a download site like Download.com, Softpedia, and similar places. These sources are clean.

How do you know if you have it and more importantly, how do you remove it? If you have DevilRobber go to your Library folder (in OS X Lion click the Go menu, hold down the Option key and click Library), and delete the Library/mdsa1331 folder. Go into the Library/LaunchAgents folder and delete com.apple.legion.plist. If you have the latest version of DevilRobber installed from PixelMator from The Pirate Bay website then delete the Library/Pixel_Mator folder and Library/LaunchAgents/com.apple.pixel.plist. Don't run the app dodgy app again or it will reinstall the malware.

F-Secure has more information about DevilRobber here, here and here.