Several Mac apps tainted with password-stealing software

Intego, makers of security and privacy apps for the Mac, warned on Tuesday that some Mac software include a new piece of invasive spyware. Macworld has obtained a preliminary list of the applications with the spyware.

In a press release, Intego states that a number of apps and screen savers distributed through sites like MacUpdate, VersionTracker, and Softpedia are installing a little more software than users bargain for; Apple’s Mac OS X Downloads site also contained entries for some of the apps, though the download links appear to now be inactive. The spyware in question is called OSX/OpinionSpy and it’s a variant of Windows spyware that has existed since 2008.

Related stories

Tabnapping cons users into giving out their passwords

Perturbed by a plethora of passwords? Stay secure and free your memory

‘Passphrases’- a better alternative to passwords

As to the spyware’s invasive actions, it allegedly dupes users into handing over their admin passwords with a dialog claiming that it “market research” software will be installed to collect browsing and purchasing history. OSX/OpinionSpy then installs a process called “PremierOpinion” that runs as root. Intego says the spyware then opens an HTTP backdoor on port 8254, scans all accessible local and networked volumes, and injects code into Safari, Firefox, and iChat in memory (meaning it doesn’t alter the applications themselves). It also regularly transmits encrypted data to a variety of servers, which contains e-mail addresses, iChat message headers, and URLs–as well as potentially personal data like usernames, passwords, credit card numbers, bookmarks, and browsing history.

OSX/OpinionSpy can also upgrade itself automatically with no user intervention and relaunch itself via Mac OS X’s launchd, the system-wide process that manages a number of automated systems, background daemons, and launch processes. Furthermore, upon uninstalling the original program, OSX/OpinionSpy remains installed on your Mac.

So far, Intego has found OSX/OpinionSpy in one application–MishInc FLV To Mp3–and a number of screensavers (here’s a MacUpdate example link) that are all made by 7art-screensavers. Here’s a partial list of the screen savers:

  • Secret Land ScreenSaver v.2.8
  • Color Therapy Clock ScreenSaver v.2.8
  • 7art Foliage Clock ScreenSaver v.2.8
  • Nature Harmony Clock ScreenSaver v.2.8
  • Fiesta Clock ScreenSaver v.2.8
  • Fractal Sun Clock ScreenSaver v.2.8
  • Full Moon Clock ScreenSaver v.2.8
  • Sky Flight Clock ScreenSaverv.2.8
  • Sunny Bubbles Clock ScreenSaver v.2.9
  • Everlasting Flowering Clock ScreenSaver v.2.8
  • Magic Forest Clock ScreenSaver v.2.8
  • Freezelight Clock ScreenSaver v.2.9

PremierOpinion, an “elite research community” that provides the namesake software, offers a privacy policy, a snippet of which is a bit alarming:

For certain commercial customers, we may provide individual-level information. We make this data available so that these customers may enhance their own understanding of Internet usage and online commercial trends. In all cases, we make commercially viable efforts to automatically filter confidential personally identifiable information such as UserID, password, credit card numbers, and account numbers from the data being provided.

While the policy also states that “customers” can opt out of the program at any time, it only offers uninstall instructions for Windows, not Mac OS X. It also explains that PremierOpinion gave OSX/OpinionSpy the ability to analyze, repair, or reinstall itself out of concerns over system stability, in case third-party software does more harm than good while attempting to remove it.

That said, Intego claims that as long as VirusBarrier X5 and X6 users update to the latest version of its threat filters, released May 31, 2010, its software should be able to remove OSX/OpinionSpy successfully.

Source: Macworld.com

Share on LinkedIn Share with Google+