Feeds

back to article First Mac OS X fake installer pops up, racks up your mobe bill

Crooks have developed a new Mac OS X-specific Trojan that mimics the behaviour of a legitimate software installer. Trojan-SMSSend-3666, which poses as an application for listening to music on a popular Russian social networking site, attempts to hoodwink marks into handing their mobile number to activate the radio app. Users are …

COMMENTS

This topic is closed for new posts.
Bronze badge

Isnt MAC OS X based on BSD?

1
4
Anonymous Coward

What's that got to do with users installing dodgy applications*?

6
1
Anonymous Coward

What's your point?

This malware gets executed by the user and signs the user up to SMS messages. It doesn't matter whether your OS is Windows, Linux, MAC OS X or anything else, if you execute something and give it permission to install then you will be compromised.

8
1
Bronze badge

@the AC's

It was a question to prompt further conversation...

I guess it goes to show that regardless of the platform, people will exploit any given weakness.

If memory serves, one of the popular points that Cultists would use to defend Mac OS was that there were few, if any virii available.

So, in this instance, is the vulnerabilities the user, or that the OS allows a dodgy installation to take place?

Before the downvotes start rolling in, please note that this is a genuine question as opposed to me making fun of the OS.

3
7
Anonymous Coward

Sorry, you're question came across as a trollish "Isnt MAC OS X based on BSD? OMG BSD is vulnerable!"

"So, in this instance, is the vulnerabilities the user, or that the OS allows a dodgy installation to take place?"

Now that you've asked specifically, this is purely a user problem. The only prevention is the iOS model where every application is vetted by someone before being allowed onto the system and even this isn't completely secure.

I would say the best solution is educating users, unfortunately most users aren't interested in being educated and just want to get on with what they want to do.

5
1
Anonymous Coward

So what? if you run something, the OS asks for privilege escalation and you say "yes" then it will get installed.

OSX Mountain Lion has a gatekeeper setting which stops unsigned apps if you want to.

Unfortunately the traditional desktop OSes are always going to be vulnerable to people installing bad applications.

1
4
Bronze badge

The OS is irrelevent

This is a social engineering attack, It's basically just asking users to send enough info so they can be subscribed to premium rate SMS spam, it could just as easily be implemented as a two factor security system on a website as no software exploits are required.

4
0
Silver badge

Re: The OS is irrelevent

Not much of a threat really these days. The default setting on OS X is that software can only be installed from Mac App Store and identified developers (e.g. developers who's apps have been certified). The message is if, if you don't know what you are doing, never change that setting to the more permissive "Allow applications downloaded from anywhere" To be honest, most users who don't know what they are doing, won't even know they can change that setting anyway. So by default, the average Mac user won't be vulnerable to this type of attack.

2
1
Bronze badge

Re: The OS is irrelevent

But the article mentions ZipMonster as a resource used to create the installer.

I would assume by this that they are being used to circumvent any protection implied? Or have I read this incorrectly?

Surely anyone could write an installer that does naughty things to an OS, to get away with it you would need one that supplies dodgy credentials?

0
0

"So, in this instance, is the vulnerabilities the user, or that the OS allows a dodgy installation to take place?"

Up to now the user is allowed to run applications of his choice on a Mac. this trojan is probably unsigned, but if the user choses to run it and states his choice several times, it will run.

1
0
Silver badge

Re: The OS is irrelevent

@Rafayal. No. With the default configuration, no dodgy installer will run unless it has a cert issued by Apple. Every time you try to install an app, OSX checks if it's certificate is still valid. To get the credentials to install you have to get your app (or installer) signed by Apple. They can revoke them. Of course it's possible someone could set up a dodgy account and dupe Apple, but as soon as any reports/complaints surface, the app would have its install rights rescinded and no one further would get infected beyond a few initial users. You would have to be pretty unlucky to be in that group. The world has moved on greatly since the malware storms of the late 90's and early noughties. Now threats tend to be much more targeted, with bespoke or custom malware produced to hit higher value targets. Of course The Register and the rest like to dramatise any angle they can find, but really there are relatively far fewer cases of mass malware infection than there used to be. That goes for all platforms, including Windows. Appstore's, code signing and authenticated installs are contributing a great deal to this shift. Of course zero day exploits can still be used but again, the value of a zero day exploit these days is far greater to the vertical market, where as a malware author you can get payback without bringing the "crowd source" investigative power of the internet down on your head by infecting thousands, if not hundreds of thousands of machines. Consequently zero day exploits tend to be sold into smaller professional groups who want an exclusive and don't want it shared with the world.

0
0

Mach+BSD+Cocoa Frameworks

And yes - if you install an application on OS X while you have admin privs and type your admin credentials when the installer asks you to - it can pop code wherever it likes on your box.

1
0
Bronze badge
Childcatcher

Re: The OS is irrelevent

This is a social engineering attack, It's basically just asking users to...

The very definition of a class of social engineering attacks. Perhaps it would be useful to fight fire with fire. Instead of asking users if they would like to allow an app to access certain functions in order for it to complete its install, it would be better to ask them if they would like to fall on their respective swords.

More to the point, I wonder if it would be possible to automatically rate the risk of a particular set of permissions against the app being installed or the action being taken, and then communicate that to the user. Rather than a message asking, "Do you want this app to have access to this resource?" the user would be told, "Allowing this app to have this access is rated as having a high level of risk."

0
0

Re: The OS is irrelevent

>>the user would be told, "Allowing this app to have this access is rated as having a high level of risk."<<

And then the malware writer changes the text so that it reads "Apple has confirmed that installing this app will have no adverse effect" - and people click on the link because they trust it.

If you have 10 "experts" telling someone "you should not do this" and 1 "expert" saying that it's OK, they will listen to the 1; because he / she is telling them what they want to hear. That's just the way that people are.

0
0
Bronze badge

Re: The OS is irrelevent

You're missing the point, The only resource this app is using is the Internet connection, it prompts the user to enter their mobile number as part of the 'activation' procedure, the user then receives a text with a code, they supply this info which is ferried back and apparently enough for the fraudsters to sign them up for premium rate SMS.

I'm guessing they take the users mobile number and supply it to a telco who send out the auth code, and should that code come back to the telco via the fraudsters the telco assumes the user has signed up, this is the bit that needs fixing, because you don't need to find an exploit, create an app, or even a website registration form to trick people into this scam, hell you could do it over the phone, by post or even face to face in the street, as all it requires to work is a lie and a telco prepared to turn a blind eye.

0
0
Bronze badge
Boffin

Re: The OS is irrelevent

"More to the point, I wonder if it would be possible to automatically rate the risk of a particular set of permissions against the app being installed or the action being taken"

The minute you allow writing to any shared (and thus privileged) area on the system, it's basically game over and pretty much every installer needs that.

The real issue is that most OS designs (Mac OS X, Windows and Linux all included) are geared around protecting the system (and by extension other users) from the user. It's just not part of their fundamental security design to constrain permissions at an application level (every application runs as the user and can do everything the user can do). The more we've moved away from shared computers to one device per person, the less and less effective the traditional OS security is. It's one of the reasons the walled garden approach is becoming more embraced, because it (theoretically at least) compensates to some degree for this.

0
0
Bronze badge

Re: as all it requires to work is a lie and a telco prepared to turn a blind eye

In the POTS world, this type of fraud is known (in the US) as cramming. (here is some FCC info on this disgusting practice: http://www.fcc.gov/guides/cramming-unauthorized-misleading-or-deceptive-charges-placed-your-telephone-bill )

The only way to put a stop to this shit is to force carriers to allow customers to be able to block third party charges to your cell bill. Now, to do so, can have unwanted consequences for those who want to use their cell phone as a wallet.

0
0
Silver badge

Re: Mach+BSD+Cocoa Frameworks

"And yes - if you install an application on OS X while you have admin privs and type your admin credentials when the installer asks you to - it can pop code wherever it likes on your box."

No it won't. You obviously don't have OSX and you are extrapolating from OS's you do know. You will have to first go to settings find the relevant setting and change it. You will then be challenged with a warning. Even as an admin you have to take positive action to find the setting to change. The important point here is you won't find you can install the software simply by answering in the affirmative to a string of dialogue boxes when you try to run the installation file.

0
0
Anonymous Coward

You will never ever catch a virus on an apple

But you can still afford a Doctor if you bought a PC.

6
9
Anonymous Coward

Re: You will never ever catch a virus on an apple

Never heard the old adage " An Apple a day keeps the PC doctor away" ?

0
1

This post has been deleted by its author

Silver badge
Coat

A limited market?

The 'popular Russian social networking site' mentioned in the article is one that all my Russian friends know about but won't touch with a barge pole. It is notorious for being riddled with Malware. On the otherhand if you are looking for Russian 'Babes' then it is a good place to go. btw, they will also empty your wallet in no time flat.

Mines the one with a dog-eared copy of Правда in the pocket.

0
1
Anonymous Coward

Re: A limited market?

> Mines the one with a dog-eared copy of Правда in the pocket.

And the empty wallet.

2
0
Anonymous Coward

Because in Soviet Russia

babe screws YOU!!

3
0
Silver badge

Re: A limited market?

" Crooks have been encouraged to migrate from cooking up fake Windows installers to creating fraudulent Mac OS X apps"

understandably so. A target market that by definition has a high disposable income (or they couldn't afford a Mac), has been encouraged by marketing liars and fanbois to believe that OSX "doesn't get viruses" and is deliberately marketed toward the ignorant and computer illiterate ("it just works" translates directly to "you may not be too stupid for this").

And Pravda's improved a great deal!

6
8
Tex

Another Scam

Another scam everyone should be aware of is the Amway Tool Scam. Google stoptheamwaytoolscam for more information, and forward this to every non-IBO you know, so they don't get scammed.

0
3

IBO?

International Boxing Organisation?

International Baccalaureate Organisation?

Independent Business Owner?

International Biology Olympiad?

Something to do with irritable bowel?

0
0
Anonymous Coward

IBO?

Immensely Big Orifice

0
0

This post has been deleted by its author

Anonymous Coward

Ladies cut the clap trap.

The virus has been written for OSX, regardless of how it gets installed.

OSX is just as shit as 'dows or 'ux.

0
11
Anonymous Coward

Err?

Ladies?

Being a woman isn't an insult or somehow not worth as much as a man.

Still it's fractionally better than your usual homophobic bollocks.

1
0
Mushroom

brain dead

just to point out its NOT a Virus.... so no, OS X has not been hit with a virus that exploits a security hole.

I could be argued that this isnt even a trojan as it doesnt do anything when installed.

Its simply a social engineering trick, like someone ringing your doorbell and asking for you number for a chance to "Win 10 Million"

Of course all the Windows users would start rattling on about a "virus" because they are already dumb enough to use windows, how could they have enough cells up top, to know the difference?

2
1
Bronze badge
Mushroom

Re: brain dead

I'm not dumb enough to pay double for something with an iBlah or apple logo :P

/downvote shield up

1
3
Headmaster

Trojan, not virus

nuff said.

1
0

Re: brain dead

"Of course all the Windows users would start rattling on about a "virus" because they are already dumb enough to use windows"

And by "ALL" you mean like 2 people on this forum thread, and you have presumed they use windows. You Sir, do no good for the current stereotyping of Apple users.

0
0
Bronze badge
Facepalm

Re: brain dead

"Of course all the Windows users would start rattling on about a "virus" because they are already dumb enough to use windows, how could they have enough cells up top, to know the difference?"

You do realise that 99% or more of the Windows "viruses" out there work in exactly the same way, right? It's just that everyone on Windows stopped pretending a long time ago that there is anything but a purely academic distinction at the end of the day when real people are suffering the effects.

0
0
Anonymous Coward

"forward this to every non-IBO you know"

Which by definition means: ignore this message, it is a chain hoax of some kind.

1
0
xyz
Bronze badge
Devil

I couldn't give an OS X, whatever it's called...

...I just want to see the look on Mac users' faces trying to stop it slurping their cash. Mind you aren't all Mac users gay...what would they be doing on a Russian get-a-bird site?

3
3

Re: I couldn't give an OS X, whatever it's called...

Yeah - we are all gay - and would love to see you having the balls to say it to our faces instead of hiding behind your keyboard

0
1
Anonymous Coward

Re: I couldn't give an OS X, whatever it's called...

@Xyz- Why do you feel the need to try to use someone's sexuality as an insult? It's playground level, childish casual homophobia. You should grow up a bit.

0
0
Bronze badge
Trollface

This is the last time I try and ask a sensible question about Mac OS X.

Back to taunting Cultists for me...

0
0
This topic is closed for new posts.