New Trojan Uses First-Ever Fake Installer Found on Mac OS X

It’s a relatively simple game: Inject a fake installer across a bevy of websites, entice Web users to download and execute the installer on their systems and prompt for unnecessary credentials during installation. That’s all the new Mac trojan, dubbed “Trojan.SMSSend.3666” by Russian antivirus company Doctor Web, needed to acquire enough credentials to obtain victims’ cell numbers in order to charge a subscription and recurring fee by sending premium text messages.

This is just one of several new attacks on the Mac OS, like those that have been commonplace on Windows machines for years. As I’ve mentioned before, with regard to Mac’s recent Flashback malware outbreak, which impacted more than 600,000 Mac computers earlier this year, with increased market share comes increased volumes of malicious attacks.

In the past, Mac’s security was defined by “security through obscurity” – meaning it didn’t have large enough market share to justify any targeted efforts from attackers. In September, OS X (10.4 and above) surpassed Windows Vista in market share, climbing to 7.1 percent (Vista had 6.1 percent share). But as Apple’s desktop operating system grows in popularity, what it gains in adoption, it loses in security.

As Macs move more broadly into the workplace, the increased growth and immersion of OS X will draw greater interest from attackers. For now, it appears that this specific malicious installer is targeting Russian OS X users, but this program (like others used on U.S. Windows machines) was developed using the affiliate program ZipMonster – just one of several solutions on the Internet used to craft fake installers. So it’s almost a guarantee that this type of attack will find its way to U.S. Macs in the future.

The best way to prevent this type of fraudulent application from racking up charges on your personal or work devices is to recognize what it’s asking and when. Installers such as Trojan.SMSSend.3666 ask for your cell number to complete installation, but installers typically do not need that type of credential to execute and install on your desktop. Only Web-based applications, like banking, cloud services, and email accounts ask for cell numbers to activate two-step verification. But this is prompted by the user and usually not mandatory. Also, even if a site asks for such credentials, ensure that the URL is consistent with what you are used to (in order to prevent phishing attacks). Of course, the best solution to prevent execution of these malicious installers is the use of application control. Establishing trust across all of the known good applications in your environment is the best way to alleviate the burden and stress of the potentially dangerous Web and the fraudulent and malicious apps it hosts.

Bit9 is the Global Leader in Advanced Threat Protection

Sign up for your free 5-day trial of the Bit9 Parity Suite and leverage the power of Advanced Threat Protection

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of the author. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided "as-is". The author shall not be liable for any damages whatsoever arising out of the content or use of this blog.
%d bloggers like this: