OSX/CoinThief Manual Identification and Removal Instructions

Updated: February 12, 2014

OSX/CoinThief has been distributed under four different names so far: BitVanity, StealthBit, Bitcoin Ticker TTM, and Litecoin Ticker.

BitVanity and StealthBit were distributed on Github, while Bitcoin Ticker TTM and Litecoin Ticker were distributed on Download.com and MacUpdate.com. Both app names appear to have been taken from legitimate apps in the Mac App Store. The malicious payload was not found in Mac App Store copies of these apps.

When run, the malware installs a browser extension in Chrome, Safari, and Firefox, which will appear in those apps as "Pop-Up Blocker 1.0.0" with the description "Blocks pop-up windows and other annoyances." There are some indications that this name and description were also taken from a legitimate browser extension. The browser extensions watch your web traffic, looking for specific headers for bitcoin-related websites. They communicate with the background process, which will periodically connect to a remote server (currently offline) to exfiltrate login credentials.

The background process is set to be constantly running via a launchd task. Additionally, the background process will check for the presence of Bitcoin-Qt, and appears to be modifying components of Bitcoin-Qt, possibly with the intent of leaking private keys.

To check for the presence of the malware on your system:

1. Take a screenshot of these instructions or print them out, and disconnect your system from the internet until you’ve verified that your system is clean.
2. Open Activity Monitor (located in your Utilities folder), and look for a process called "com.google.softwareUpdateAgent."

   Note that this is a specific name that is currently known to be used by the malware.

3. Open Chrome, Safari, and Firefox (if installed on your system), and check for the presence of the "Pop-Up Blocker" extension.
4. If you see either the "com.google.softwareUpdateAgent" process or the browser extensions, continue on to the removal instructions.

To manually remove the malware from your system:

Manual removal is going to require entering a few terminal commands. The commands must be entered exactly as they are listed below, so copy and paste them in if need be.

Before entering the terminal commands, delete the apps from your system (BitVanity, StealthBit, Bitcoin Ticker TTM, or Litecoin Ticker) by dragging them to the Trash and emptying the Trash. Make sure to quit the apps before attempting to delete them.

1. Open the Terminal (located in your Utilities folder), and type the following command:
   • launchctl unload ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist
   • Press the return key after entering the command.
     This command will unload the launchd task, and stop the malware from constantly running in the background
     If you see a message stating "No such file or directory, nothing found to unload," the launchd task was not loaded on your system.
2. Next, you’re going to enter a command to unhide the malware file itself, and move it to your Desktop. From there, you will manually drag it to the Trash. This will serve to avoid accidentally removing the wrong file. Type the following command, again pressing the return key after entering the command:
   • mv ~/Library/Application Support/.com.google.softwareUpdateAgent ~/Desktop/com.google.softwareUpdateAgent

     In the above command, pay close attention – there is a period before the first instance of com.google.softwareUpdateAgent.

3. Next, you’re going to do the same for the file that starts the launchd task, and move it to the Desktop. Type the following command, again pressing the return key after entering the command:
   • mv ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist ~/Desktop/com.google.softwareUpdateAgent.plist
4. Drag the com.google.softwareUpdateAgent and com.google.softwareUpdateAgent.plist files that should now be present on your Desktop to the Trash, and empty the Trash.
5. Open your web browsers, and delete the "Pop-Up Blocker" extensions.
6. Backup your wallet and reinstall Bitcoin-Qt.
7. Change your password information for accounts you have on any bitcoin-related websites either from a system that you know is clean, or after you have ensured removal of the malware.

About SecureMac – SecureMac has been at the forefront of Apple system security offering news, advisories and reviews for all security relating to Apple and Macintosh systems since 1999. Users from novice to the most advanced will find useful information at SecureMac that is designed to make their computer experience secure and trouble free. SecureMac is also the creators of award winning security and privacy software MacScan and PrivacyScan protecting Mac OS X users against threats.