AAPL Stock: 519.01 ( + 1.05 )

Printed from

Report: trojan malware spreading, hiding in other Bitcoin apps

updated 12:51 am EST, Thu February 13, 2014

Now being spread through Bitcoin programs found on

The newly-detected OS X malware dubbed "OSX/CoinThief.A," a "trojan horse" that disguises itself as a copy of a legitimate app, has spread to other Bitcoin applications. SecureMac, an anti-virus software seller, discovered the original implementation of the malware disguised as a pre-compiled version of an open-source Bitcoin tool. It has now been seen pretending to be other Bitcoin apps, some of which are available on

The malware, once installed by Bitcoin fans installs fake browser extensions for Chrome, Firefox and Safari (that identify as "Pop-Up Blocker" or other generic titles) which actually spy on web traffic looking for and capturing login credentials for popular Bitcoin trading sites, with the ultimate aim of stealing a users' Bitcoins. Originally seen as a fake version of StealthBit, the program is now pretending to be other apps such as Bitcoin Ticker TTM and Litecoin Ticker. The original legit app, Stealthbit, has since been taken down in an effort to combat the malware.

SecureMac has published removal instructions for the malware on its blog, though Mac users may want to simply avoid downloading any Bitcoin-related apps (or download them directly from the developers' websites rather than other download services) until authorities can shut down the Bitcoin-stealing operators of the malware and its command and control centers. To discover if a users' system may possibly already have the malware, the company advises users to open Activity Monitor and look for a process called ""

Users can also check their preferred browsers and check for the presence of a generic "Pop-Up Blocker" extension. To remove the malware, users must first go offline, then remove any of the suspect apps from their system (BitVanity, SteathBit, Bitcoin Ticker TTM or Litecoin Ticker). Users must then enter Terminal commands to unload the file, followed by a command to unhide the malware and move it to the desktop, where it can be manually dragged into the trash, as well as unhide and move the plist file in the same manner. Finally, to prevent possible re-installation, users should change the passwords they have for any Bitcoin-related websites.

Apple and other anti-malware makers are in the process of updating their services to prevent installation of the trojan software in the first place, but in the meantime not downloading any Bitcoin third-party apps and not logging into Bitcoin sites unless the user is certain they do not have the malware are the safest courses of action in the short term.

by MacNN Staff



Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular

MacNN Sponsor

Recent Reviews

Linksys EA6900 AC Router

As AC networking begins to makes its way into more and more devices you may find yourself considering an upgrade for your home network ...

D-Link DIR-510L 802.11AC travel router

Having Internet access in hotels and other similar locations used to be a miasma of connectivity issues. If Wi-Fi was available, it wa ...

Ooma Office small business VoIP

Voice over IP (VoIP) services have been around for a very long time. Only recently has the implementation become a bit more robust, al ...


Most Commented