Malware-Laced Apps Distributed to Mac Users

Security researchers have discovered that malware-infected apps have been distributed to hundreds of Mac users in a new software supply-chain attack.

Antivirus firm ESET reported on Friday that free versions of the Elmedia Player app contained a data-stealing trojan tailored for macOS called Proton. Researchers determined that hackers were able to compromise the website of the company that produces the media player, Eltima Software, and infect certain versions of the app.

Eltima Software also told Motherboard that another of its applications, a download manager and BitTorrent client called Folx, was also compromised in the attack.

Proton is a trojan-type malware that is capable of stealing a slew of data from infected computers, including browser history, cookies, bookmarks and log-in data. In addition, authentication keys, cryptocurrency wallets, VPN configuration data, macOS keychain data, and passwords stored in 1Password are also at risk. At launch, the trojan displays a fake password window in order to gain system administrator access.

Elmedia Player has about 1 million users worldwide, the company said. Its popular software is available in both free and paid applications via its website or the Mac App Store. Though Eltima noted that only apps downloaded via its website contained the Proton malware and that the “built-in automatic update mechanism seems to be unaffected.”

The attack occurred on Thursday, and ESET managed to discover the incident fairly quickly and report it to Eltima Software. The malware-laced installers were only available for about 24 hours before being taken down — despite that, about 1,000 users downloaded a compromised version of the app.

“Users who downloaded and executed the software on October 19 before 3:15 PM EDT, are likely compromised,” ESET noted in its blog post. As of Friday morning, Eltima Software said that both apps are now “safe to install and malware-free.”

Luckily, the attackers didn’t appear to have compromised Eltima’s development infrastructure — as seen in the recent CCleaner hack. Instead, the hackers broke into Eltima’s website and used their access to distribute the trojan software.

While Gatekeeper security typically prevents apps without a signed developer’s certificate from opening, the Proton-infected Mac installers were signed with a developer ID under the name Clifton Grimm. It’s currently unclear if that certificate was legitimately obtained from Apple, or if it was stolen.

Apple has since revoked the developer certificate, but users who downloaded and used the Elmedia Player or Folx installers before Apple did so wouldn’t have received a warning flag.

The attack appears to be similar to a previous breach in May which targeted the HandBrake video converter app. According to security researchers, there’s some evidence to suggest that both hacks were conducted by the same attackers. Software supply-chain attacks such as this are especially dangerous because they take advantage of the trust between users and app developers. As such, they’re fairly hard to detect and prevent.

How to Find Out If You’ve Been Affected

If you recently downloaded Elmedia Player or Folx, and you’re worried that your computer has been infected, you can perform the following steps.

1. Open Finder.
2. With “This Mac” as the search criteria, search your system for the following files or directories.
    •  /tmp/Updater.app/, /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
    •  /Library/.rand/
    •  /Library/.rand/updateragent.app/

If you find any of them, you’ve been infected. Unfortunately, a full macOS reinstall is really the only way to get rid of the malware for sure.