As you can imagine, we can’t repeat it enough: installing a pirated version of Mac software can be dangerous. Kaspersky has actually reported on an ongoing campaign aimed at hiding malware in cracked versions of popular macOS programs. These Trojans infect computers and turn them into “zombie machines,” i.e. gateways to anonymize malicious or illegal activities (hacking, phishing, DDoS attacks, etc.).
A part of the script that runs after installing a pirated program.
In total, Kaspersky found 35 infected image or video editing tools, but also referred to data recovery or network analysis software. The aim is obviously to exploit the recklessness of certain users who are attracted to a free version of paid software. The most famous programs on the list are Sketch, 4K Video Donwloader Pro, Downie 4, Wondershare UniConverter 13 and Aissessoft Mac Data Recovery.
Unlike the usual versions that can be downloaded as a disk image, these versions are offered in the form of .PKG installers, with the advantage (for pirates) of being able to run scripts during installation. Since .PKG files require administrative privileges to start, they can perform potentially dangerous actions: modify files, run commands, etc.
Kaspersky explains that the scripts of this new malware are activated after installation and impersonate a WindowServer system process (the legitimate version of which is used to run the visual part of the macOS interface). The process is started at startup by a “GoogleHelperUpdater.plist” file, which in turn tries to impersonate a real item so as not to appear suspicious. Once this is done, the script communicates with a server while waiting for instructions.
In addition to the macOS versions, Kaspersky also found that similar Trojans were deployed for Android and Windows, proving that hackers are targeting many systems. If this story shows that macOS is far from infallible, Apple engineers have been raising their voices against malware for some time. macOS Sonoma in particular brought new tools against threats, such as more regular scans or the analysis of more diverse elements.