Mac Bitcoin-stealing Trojan lurks on download sites and GitHub
Posted on 13.02.2014
CoinThief, the recently discovered Bitcoin-stealing Trojan that targets Mac users, has been spotted being offered on several download websites such as CNET's and, as well as masquerading as precompiled binaries in several GitHub projects.

The malware's initial variant installs browser extensions for Safari and Google Chrome that monitor all web browsing traffic, looking specifically for login credentials for many popular Bitcoin websites as well as Bitcoin wallet sites and login credentials.

These newer variants have already been made to include also a browser extension for Firefox ("Pop-Up Blocker 1.0.0").

"The malware is being distributed disguised as price tickers for Bitcoin ("Bitcoin Ticker TTM for Mac") and Litecoin ("Litecoin Ticker"), which have been available on since early December. According to the download stats, the malware has been downloaded 57 times," SecureMac researchers noted.

"The two variants seen by SecureMac share the same name and developer information as two apps found in Apple's Mac App Store. At this time it is unclear what, if any, connection is shared between the apps. Initial analysis of the Mac App Store versions of the apps did not include the malicious payload found in the versions from"

Fortunately, the two websites have already reacted and removed the malware.

In a Reddit thread initiated by Nicholas Ptacek, lead developer at SecureMac, the developer of Bitcoin Ticker TTM has noted that his original app was never open source, so it seems like his app was never trojanized, and that only its and his name was used to trick users into downloading the malware.

Ptacek also shared that the malware is being distributed on GitHub in the BitVanity and StealthBit projects.

"While the source code for those two projects looked to be legit, the precompiled binaries were definitely malicious," he confirmed, and wrote in details about how to remove the malware from the system if you have been infected.

Still, it would be probably wrong to assume that the malware is not still being distributed on other download sites and under different names, so be careful when downloading anything, and check for the malicious extension.


Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts

Whether you like it or not, the Internet of Things is happening. This book paints a clear picture of the current situation, and what we can learn from it in order to create a safer future for all of us.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Oct 13th