We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Fake installer trojan targets Mac users

Published December 13th, 2012 at 12:38 PM EST , modified December 13th, 2012 at 12:38 PM EST

Dr. Web announced the discovery of a new Mac trojan, which they call SMSSend, on Tuesday. This latest trojan masquerades as an installer for the legitimate VKMusic application. Rather than install malicious software on your computer, however, the malicious installer requests a cell phone number in order to complete the install process. Users who provide a cell phone number, and then enter the activation code that is texted to that phone, will be subscribed to a “service” that applies charges their cell phone account.

Image from Dr. Web

Image from Dr. Web

In all, this particular installer’s distribution isn’t likely to be particularly wide. However, the same installer could easily be used to wrap other software in the future, leading to greater prevalence. Users should be sure to download software only from the developer’s site. Avoid downloading software via torrents or other third-party sites not associated with the software.

It should also be noted that texting/cell phone scams that involve charging your account have been around for some time, and are not likely to go away any time soon. You should be cautious with your cell phone, and should never respond to mysterious text messages from unknown parties, nor should you provide your cell phone number to anyone online without a very good reason. (Even then, you should only provide a number to a company that you have reason to trust.) It is especially important to monitor your phone bill if you have children with cell phones, as they cannot be expected to have the same level of judgement that you would.

At this point, few anti-virus programs recognize this malware. Dr. Web does, and ClamXav should recognize it today. Apple has also released an update for their XProtect definitions, so after today, opening this installer on a properly-updated Mac should result in being warned that it is malware… provided that it is not downloaded in a way that bypasses XProtect, such as through a torrent app.

Tags: , , ,


  • Logan Smith says:

    Hi Thomas,

    Actually Transmission (most popular Mac torrent application) had File Quarantine/XProtect screening and protection since February 2012 version 2.5 +.

    I have been pushing the Transmission developers to implement the File Quarantine flag for over 2 years.

    I’m hoping all Mac internet app developers implement this feature too.

  • Someone says:

    I probably don’t know what I’m talking about – perhaps Thomas can clarify – but my guess is that XProtect or not, torrents in general aren’t the safest way to download anything, especially since it’s likely not everyone uses/has updated to a torrent that incorporates XProtect.
    Also, a question: Thomas, you said that torrents “bypass” XProtect, and Logan, you said that Transmission has XProtect “screening and protection.” So, does Transmission no longer “bypass” XProtect, or does Transmission actually scan downloaded apps with Apple’s XProtect definitions? And if Transmission doesn’t “bypass” XProtect, and that’s it, does that mean that a user’s XProtect definitions (ie, if they’re properly updated) matter?

    • Thomas says:

      Torrent apps in general don’t set the quarantine flag, which is required for XProtect to do its work. (When opening an application, it is only treated as a new, untrusted application if the quarantine flag is set.) Torrent apps are undoubtedly not the only apps that don’t respect this flag, though I don’t have a catalog of all apps that do or don’t, while some torrent apps (such as Transmission) may properly set the flag.

  • Someone says:

    I feel stupid not knowing this, but what’s the “quarantine flag?”

  • Someone says:

    So does VKMusic actually get downloaded?

  • Logan Smith says:

    Transmission DOES properly set the quarantine flag. Other torrent apps do not yet.

    Regarding SMSSend malware, Thomas do you know if this app is digitally signed or not signed with a developer certificate? (IE – will Gatekeeper by default prevent the app from even launching).

    • Thomas says:

      It is definitely not signed. (If it were, Apple would have revoked the certificate it was signed with anyway at this point.) So Gatekeeper will protect you, and XProtect will protect you if you have disabled Gatekeeper (by setting it to allow apps from anywhere).

  • Someone says:

    So, in other words, properly updated Snow Leopard/Lion users are safe from this one if they download it and then attempt to open it?

  • aalien says:

    It’s my understanding that Dr Web it’s “finding” a lot of “bad things for mac” (flashback, this trojan…).
    That’s a good thing right? One’s should keep in mind to use it?

    I was using Sophos but formatted and reinstalled the full operation system from scratch (OSX 10.8.2)… Thomas do you recommend install Sophos or giving Dr. Web a try? I receive a lot of PC files/archives too…

    (I was having an issue after one update. When I restarted my mac the antivirus didn’t work, I ALWAYS (I really mean always) had to turn internet on and let it “update” [even if there isn’t any update available] so it could keep working again, until I retarded the mac again.

    Now, I’m thinking in giving Dr. Web a try after seeing your:

    I never heard anything about Dr. Web only this last month. It’s my impression or it was the most successful antivirus (excluding sophos with more 3 extinct malware)?
    Thanks again

    • Thomas says:

      Dr. Web Light, from the Mac App Store, tests well. But it’s limited in its utility due to being from the Mac App Store… that means it will only be useful for manual scans of specific folders, and will never be capable of scanning the whole system. Of course, you really don’t need anti-virus software at this time… see my Mac Malware Guide.

  • aalien says:

    Yes I understand that limitation… I saw your Mac Malware Guide on November already… Nice guide by the way.
    I never had any problems what so ever but it’s really god to keep informed to prevent them and evolve with present situations…


This post is more than 90 days old and has been locked. No further comments are allowed.