Trend Micro has revealed that malware software has been disguised as a legitimate crypto trading app in order to steal user information.
The cybersecurity firm reports that a spoof of the popular Stockfolio trading app contains a malware file named Trojan.MacOs.GMERA.
According to the report, there are actually two variants of the malware, the first of which uses a pair of shell scripts to collect and encode user data.
The second variant, though it only uses one shell script, also contains a “persistence mechanism” and is far more difficult to get rid of.
Fake Stockfolio Trojan version one
The original malware version is a zip file containing Stockfoli.app files (notice the missing ‘o’ in the filename?) along with an invisible encrypted .app file.
The zip file also includes the legitimate Stockfolio app and the malware developer’s digital certificate.
Users who execute the file will see the actual Stockfolio app interface. However, this execution will also set in motion a data collection script.
The script operates within the Resources directory, collecting the host computer’s username, IP address, app files, document files, desktop files, and operating system files. It even collects screenshots.
According to Trend Micro researchers, once the data is collected, it is then encrypted in an invisible file and sent to the malware developer’s server.
In return, the server sends a response in another hidden file (for later use).
Fake Stockfolio Trojan version two
The second malware version acts in much the same way as the first, though it only employs a single shell script to copy files.
However, it also decrypts the server response file mentioned above. Once decrypted, the file produces a simple reverse shell that enables hackers to remotely execute shell commands on the infected computer.
Unfortunately, getting rid of this reverse shell code is fairly difficult, as the second malware version contains a property list file that recreates it every 10,000 seconds.
Is Apple’s response enough?
Fortunately, the fake Stockfolio app’s malware is unable to execute “due to the fact that Apple has since revoked the code signature used to sign these samples.”
Nonetheless, critics assert that eliminating the threat after the fact is less than ideal. They note that malware like that contained in the spoofed Stockfolio app may infect thousands of users before the threat becomes publicly known.
Moreover, they’re concerned that malware actors will soon learn how to be one step ahead of Apple.
Mac security researcher and coder Phil Stokes writes:
“It won’t be long before the threat actors package their wares in a newly signed bundle and the game of whack-a-mole begins again: attackers create and distribute a malicious app with a valid code signature; after some variable amount of time in the wild, the malware is discovered and Apple revoke the signature; the attackers then repackage the malware with a fresh signature and the process begins all over again!”
As he points out, it is relatively easy for bad actors to acquire valid code signing identities.
They’re quite content to “burn $99 subscriptions and play whack-a-mole with Apple.”
Fake AppleIDs can be used to create developer signatures if stolen credit cards are used and malware actors intent on repackaging data collection scripts in new apps can even automate the process.
Detecting suspicious behavior
Since beating malware relies on prior discovery, malicious attacks will always beget a sizable number of victims. An AI or behavioral detection engine may be able to find malware earlier, as it would be able to detect suspicious activity earlier as well.
In the case of the Trojan file, a behavioral detection engine would note that the file instituted and launched a hidden property list to achieve persistency.
While it’s uncertain as to when Apple will start using AI software, malware actors may force the issue if they incorporate AI into malicious software themselves.
As for the real Stockfolio app, the company has yet to respond to Micky’s request for comment.