Apple once boasted that Mac computers were virus-free, and while Apple did have good anti-malware software, their machines were far from infection-free. With Macs more popular than ever, there's more potential malware out there, ready to steal your data and ruin your day. The latest version can even take screenshots of your Mac's display without your knowledge.
Researchers at Kandji have discovered a threat targeting Macs, and it's not good news. Kandji reports that the new malware, which they have named "Cuckoo," is a hybrid between spyware and an information stealer. They discovered it in an application hosted by a website called "DumpMedia," which claims to convert songs on streaming services to MP3s.
When the researchers downloaded one of the apps, they noticed that the DMG that allowed you to install the app on a Mac had different installation instructions than most DMGs: The DMG instructs users to right-click the app and select "Open." What many users don't know is that this action bypasses some security features that are the first line of defense for newly installed apps downloaded from the web.
Instead of following these dubious instructions, the researchers chose "Show Package Contents" so they could see what the app was hiding. While they did find a seemingly legitimate "DumpMedia Spotify Music Converter" bundle, they also found a suspicious executable file without a developer ID. This often triggers Apple's Gatekeeper program, preventing the app from opening - which is why malicious developers encourage potential victims to unintentionally bypass these protections.
The researchers then opened the software for testing and found that it immediately began gathering information about the machine and running a long list of processes. Interestingly, the program will not continue if it detects that the computer is located in Armenia, Belarus, Kazakhstan, Russia, or Ukraine. After more processes, it will surreptitiously ask you to enter your password and say "macOS needs to access system settings". After entering your password, the program saves your password. It then checks to make sure the password is correct.
From here, the program requests permission to access the Finder, Downloads, and Microphone, then proceeds to grab details about your Mac's hardware, then grabs files (including bookmarks, cookies, and history), Notes, and Keychain (which contains your password). As if that wasn't intrusive enough, the malware then activates the screenshot feature and even mutes the speakers while taking the screenshot so you can't hear the sound and realize what's going on.
All the while, there is an actual program running as advertised, leaving the victim in the dark about all the malicious processing going on in the background. Researchers say DumpMedia is just one of the websites hosting these malicious applications. Other apps, such as TuneSolo, FoneDog, TunesFun, and TuneFab, all host similar streamer apps, as well as Android recovery tools with the same malware.
How to protect your Mac from this and other malware
This story is a good reminder to be careful when downloading apps directly from the web onto your device, whether it's a Mac, PC, Android or iOS device (in the EU, anyway). While there are many legitimate apps on the Internet (as opposed to app stores like Google Play or the iOS App Store), there are also many that are not, so it's important to vet each program before downloading it.
Research the app and see if others have had positive experiences with it and the website it hosts. Having said that, it's safest to download apps from the developers themselves: if DumpMedia hosts a third-party app, for example, that's riskier than if the app developer provided it directly.
Also, never bypass your Mac's built-in malware defenses. You might not know that right-clicking an app and opening it instead of dragging it to the Applications folder bypasses Gatekeeper, but it does. If you follow the normal process and macOS says there's a problem with the app, trust it. If you can, download the app from the official Apple App Store; if not, be extra careful.
