Malware

New Mac Trojan Masquerades as Installer for VKMusic App

Posted on December 13th, 2012 by

Trojans that appear to be installers for popular applications but are in fact charging the user premium rates for SMS have been common on Windows and mobile platforms such as Symbian and Android for a number of years. Now OS X has joined the list of operating systems targeted by this tactic, with the discovery of OSX/SMSMonster.A.

At the time of writing, this Trojan is considered low risk, as it is not known to be affecting users. The site that it was hosted on is now inaccessible. And having Gatekeeper set to prevent installation of apps from unknown sources prevents activation of this threat.

OSX/SMSMonster.A appears to be an installer for the VKMusic App. The legit version of the app is a free program that is used to download audio and video from websites including YouTube and Vimeo. The trojanized app bundle is quite large, 48MB total. The malicious file within the bundle is padded with extraneous zeros so that it could reach such a large size. It could be that this extra padding is an attempt to make the file look less suspicious, as Trojans are often much smaller than this. Or it could be that it’s trying to evade detection by AV products that might exclude such a large file.

Fake license agreement for the Trojan.

In order to install, this Trojan requires the victim input their mobile phone number. They are then sent an SMS confirmation code. If the victim completes the installation, they will be signed up for a subscription service scam. The Trojan communicates the details of the transaction with a remote host, at api.lamivolts.com (194.44.85.153).

It is always a good idea to avoid going to sketchy download sites to retrieve valid apps. Some people try to avoid paying for software, and instead get much more trouble than they bargained for. In this case, the original app is free of charge, so downloading the fake one could end up costing you considerably.

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}