updated 12:51 am EST, Thu February 13, 2014
Now being spread through Bitcoin programs found on download.com
The newly-detected OS X malware dubbed "OSX/CoinThief.A," a "trojan horse" that disguises itself as a copy of a legitimate app, has spread to other Bitcoin applications. SecureMac, an anti-virus software seller, discovered the original implementation of the malware disguised as a pre-compiled version of an open-source Bitcoin tool. It has now been seen pretending to be other Bitcoin apps, some of which are available on Download.com.
The malware, once installed by Bitcoin fans installs fake browser extensions for Chrome, Firefox and Safari (that identify as "Pop-Up Blocker" or other generic titles) which actually spy on web traffic looking for and capturing login credentials for popular Bitcoin trading sites, with the ultimate aim of stealing a users' Bitcoins. Originally seen as a fake version of StealthBit, the program is now pretending to be other apps such as Bitcoin Ticker TTM and Litecoin Ticker. The original legit app, Stealthbit, has since been taken down in an effort to combat the malware.
SecureMac has published removal instructions for the malware on its blog, though Mac users may want to simply avoid downloading any Bitcoin-related apps (or download them directly from the developers' websites rather than other download services) until authorities can shut down the Bitcoin-stealing operators of the malware and its command and control centers. To discover if a users' system may possibly already have the malware, the company advises users to open Activity Monitor and look for a process called "com.google.softwareUpdateAgent."
Users can also check their preferred browsers and check for the presence of a generic "Pop-Up Blocker" extension. To remove the malware, users must first go offline, then remove any of the suspect apps from their system (BitVanity, SteathBit, Bitcoin Ticker TTM or Litecoin Ticker). Users must then enter Terminal commands to unload the com.google.softwareUpdateAgent.plist file, followed by a command to unhide the malware and move it to the desktop, where it can be manually dragged into the trash, as well as unhide and move the plist file in the same manner. Finally, to prevent possible re-installation, users should change the passwords they have for any Bitcoin-related websites.
Apple and other anti-malware makers are in the process of updating their services to prevent installation of the trojan software in the first place, but in the meantime not downloading any Bitcoin third-party apps and not logging into Bitcoin sites unless the user is certain they do not have the malware are the safest courses of action in the short term.