Mac users downloading free screensavers and a video converter app from several popular download sites also got spyware that installs a back door, collects data, and sends encrypted information to remote servers, security company Intego said on Tuesday.
The high-risk spyware, dubbed OSX/OpinionSpy, was being installed along with nearly 30 screensavers developed by a company called 7art and an app called MishInc FLV to MP3, according to a list compiled by Intego.
VersionTracker had removed all of the items on the Intego list by late afternoon. Representatives from MacUpdate and Softpedia said the companies had disabled the screensavers on Tuesday and had never offered the MishInc converter. "Our users were discussing the software installed alongside the 7art screensavers as far back as March," MacUpdate said in an e-mail.
The spyware, a Windows version of which has existed since 2008, is not contained in the apps but is downloaded during the installation process. It is often marked as a "market research" program called PremierOpinion that claims to collect browsing and purchasing information for use in market reports, but it can also come with no warning or message, Intego said.
It's unclear exactly what data is collected and sent to the remote server, but it could include personal information like usernames, passwords, and credit card numbers, the post said.
Here is what the spyware does:
-runs as root with full rights to access and change any file on the computer,
-opens a back door using port 8254,
-scans all accessible files on local and network drives,
-analyzes packets entering and leaving the computer over a local area network, enabling one infected Mac to collect data from different computers on a school or business local network,
-injects code with no user action required into Firefox, Safari, and iChat and copies personal data from those applications, infecting the code of the applications in the Mac's memory but not the actual application files,
-regularly sends encrypted data to a number of servers using ports 80 and 442 about files scanned, as well as other information including e-mail addresses, iChat message headers, and URLs.
The spyware can be automatically upgraded to add new features without the knowledge of the computer user. It occasionally asks for the user's name or prompts the user to fill out surveys via a dialog box.
In some cases the infected computer will not work correctly and the user will need to force a reboot. In addition, deleting the original app or screensaver will not delete or interfere with the spyware, Intego said.
"While its distribution is limited, we warn Mac users to pay careful attention to which software they download and install," the company said. "Given the type of data that it collects, the company behind this spyware can store detailed records of users, their habits, their contacts, their location, and much more."
Updated at 5:08 p.m. PDT with MacUpdate comment and malware scanners.
Updated at 11:10 p.m. PDT with Softpedia comment.
Update June 2 at 11 a.m. PDT: MishInc publisher Brothersoft said it removed the apps from its site while a 7art representative said PremierOpinion, also known as RelevantKnowledge, was not spyware. "All that noise is just trolling from some users who don't want to read terms and conditions before installing any software."