NEWS: OSX/OpinionSpy Spyware Installed by Freely Distributed Mac Applications
Intego has discovered OSX spyware which it calls OSX/OpinionSpy. Worryingly it is being distributed via reputable websites:
OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdate, VersionTracker and Softpedia. The spyware itself is not contained in these applications, but is downloaded during the installation process. This shows the need for an up-to-date anti-malware program with a real-time scanner that can detect this malware when it is downloaded by the original application’s installer.
The basic malware is not new (been on Windows since 2008), but this version seems to go much further; for example:
- This application, which has no interface, runs as root (it requests an administrator’s password on installation) with full rights to access and change any file on the infected user’s computer.
- If for any reason the application stops running, it is re-launched via launchd, the system-wide application and service launching facility.
- It opens an HTTP backdoor using port 8254.
- It scans all accessible volumes, analyzing files, and using a great deal of CPU time. It is not clear what data it copies and sends to its servers, but it scans files on both local and network volumes, potentially opening up large numbers of confidential files on a network to intrusion.
And it does a lot more besides.
As can be seen above, this application that purports to collect information for marketing reasons does much more, going as far as scanning all the files on an infected Mac. Users have no way of knowing exactly what data is collected and sent to remote servers; such data may include user names, passwords, credit card numbers and more. The risk of this data being collected and used without users’ permission makes this spyware particularly dangerous to users’ privacy.