A cryptocurrency ticker application called CoinTicker appears to be installing two backdoors on Apple Macs, cybersecurity firm Malwarebytes warned Monday.
The app downloads and installs parts of two different pieces of malware – EvilOSX and EggShell – both of which are backdoor applications that can be used to log keystrokes, steal data or execute certain commands. Malwarebytes director of Mac and Mobile Thomas Reed wrote that it is possible the malware was designed to steal cryptocurrency keys.
CoinTicker acts as a legitimate application designed to present the price of a selected cryptocurrency on request. The user installing the app can choose between bitcoin, ethereum, monero, zcash and others, according to a screenshot. However, the app also installs EvilOSX and EggShell in the background.
The app does not require root or other elevated permissions, meaning the user likely will not see any sign of infection.
It’s unclear what specifically the app’s creators want, but Reed noted that “it seems likely that the malware is meant to gain access to users’ cryptocurrency wallets for the purpose of stealing coins.”
The fact that the malware is distributed through a cryptocurrency app supports this theory, he wrote.
Malwarebytes for Mac now looks for the CoinTicker app, as well as its malware components, he added.