A convincing fake version of the Mac utility CleanMyMac is tricking users into installing malware, according to Malwarebytes Labs.
The site instructs visitors to paste a command into Terminal. If they do, it installs SHub Stealer, macOS malware designed to steal sensitive data including saved passwords, browser data, Apple Keychain contents, cryptocurrency wallets, and Telegram sessions. It can even modify wallet apps such as Exodus, Atomic Wallet, Ledger Wallet, and Ledger Live so attackers can later steal the wallet’s recovery phrase.
The site impersonates the CleanMyMac website, but is unconnected to the legitimate software or the developers, MacPaw, notes Malwarebytes Lab.
Instead of downloading a standard app, the site instructs users to open the macOS Terminal and paste a multi-staged obfuscated script. It then prompts users for their macOS administrative password, which grants it access to the Keychain. Once granted access it targets browser data, cryptocurrency browser extensions, desktop wallets, iCloud account keys, macOS Keychain directory, Telegram session files, and Apple Notes.
How to Protect Yourself
- Never use Terminal for installations: Legitimate applications almost never require you to copy and paste code into the Terminal to install them.
- Verify URLs: Always double-check the URL of the website you are visiting. Download apps only from the Mac App Store or the developer’s official website.
- Review system access: Be highly cautious of any app or script requesting your macOS administrative password.
I hope you’ll help support Apple World Today by becoming a patron. Almost all our income is from Patreon support and sponsored posts. Patreon pricingranges from $2 to $10 a month. Thanks in advance for your support.
Also, check out my daughter-in-law’s “Scattered Words” website if you’re interested in unique, handcrafted jewelry made out of an array of vintage dictionaries, books, and even a few antiques.
