UPDATE (12th February, 11:35 GMT): SecureMac reports the bitcoin-stealing malware has spread to popular download sites like Download.com and MacUpdate, under several different names. If you think your machine could be infected, take a screenshot of the instructions here and disconnect from the internet immediately.

A Mac OS X trojan horse masquerading as a private bitcoin wallet app is responsible for “multiple” bitcoin thefts, according to Mac security researchers.

SecureMac, a Mac security consultancy that develops the MacScan anti-malware application and blogs about its research, released a report today warning of ‘CoinThief.A’.

Hidden within the open-source OS X bitcoin wallet app StealthBit, CoinThief.A monitors users’ web traffic to steal login credentials for software wallets and popular bitcoin sites, including BTC-e, Mt. Gox, and Blockchain.info.

The StealthBit app had been available on GitHub both as source code and a precompiled download, but the page has now been removed.

Update: Versions of the malware have been found with numerous different names on other popular software download sites, such as Download.com and MacUpdate.com. BitVanity and StealthBit were distributed on Github, while Bitcoin Ticker TTM and Litecoin Ticker were distributed on Download.com and MacUpdate.com. It seems both app names were copied from legitimate apps in the Mac App Store, but the malicious payload was not found in the official Mac App Store copies of these apps.

Mismatched code

Suspicion arose when investigators discovered the precompiled version did not match the source (which more knowledgeable users could examine for themselves and needed to compile before using). The precompiled version contained the malware, whereas the open-source code did not.

The report said:

“Upon running the program for the first time, the malware installs browser extensions for Safari and the Google Chrome web browser, without alerting the user. The web browsers are tricked into thinking that the user intentionally installed the extensions, and give no warning to the user that all of their web browsing traffic is now being monitored by the malicious extensions. Additionally, the malware installs a program that continually runs in the background, looking for bitcoin wallet login credentials, which are then sent back to a remote server.”

The browser extensions had innocuous sounding names like ‘Pop-up Blocker’ to avoid detection. Once installed, the trojan also searches the system for anti-malware software and logs unique identifiers (UUIDs) for each infected machine.

Large thefts

At least one Bitcoin Talk Forum user reported a whopping 20BTC theft after installing StealthBit, which was also posted on reddit.

Other investigators noted several similarities between StealthBit and Bitvanity, another piece of notorious Mac malware that stole users’ bitcoins last August. Bitvanity posed as a vanity wallet address generator that harvested addresses and private keys from software like the Bitcoin-Qt client.

StealthBit’s GitHub code repository was stored under the username ‘thomasrevor’ and a reddit user named ‘trevorscool’ posted an announcement about its development there on 2nd February. Last year, Bitvanity’s GitHub code was posted under the name ‘trevory’.

As reported previously on CoinDesk, there are rich rewards for malware and ransomware developers trading in bitcoin thanks to its mostly unregulated and difficult-to-trace nature. Accomplices can be paid, and ransoms collected from anywhere in the world.

Open-source security

The discovery has highlighted the benefits (and issues) that surround open-source software. While the malware was not contained in the open-source version of the code, less able or impatient users may still have trusted the precompiled version on GitHub and installed without a second thought.

The ‘clean’ open-source version, however, allowed programmers to find a discrepancy between the two versions within days of its appearance, leading to speedy warnings of the malware and, hopefully, fewer infections.

Hacker Image via Shutterstock