![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/04\/CloudChat-infostealer-Mac-malware-600x300-1.jpg\")
<\/p>\n<\/p>\n
Researchers recently discovered that a supposed chat app, CloudChat, surreptitiously stole crypto keys and wallets from victims’ Macs. The malware also opened up a backdoor, allowing the developer to remotely control infected Macs and secretly run Terminal commands.<\/p>\n
Sometime after the researchers published a write-up about the malware, the chat app site changed. It no longer offers the same version of the app. Here’s what we know about the story so far.<\/p>\n
On April 3, malware researchers Adam Kohler and Christopher Lopez discovered<\/a> an interesting file that had been upload to VirusTotal that day. VirusTotal is a site that allows anyone to scan a file with multiple antivirus engines to see which ones detect it as potentially dangerous; files uploaded to the site are available for malware researchers to download.<\/p>\n The same DMG (macOS disk image) that contained the file was also available on the official CloudChat site.<\/p>\n When a victim runs the app, it checks whether the system’s IP address implies that the Mac is in China. If so, it avoids downloading a malicious payload.<\/p>\n If, however, the victim’s Mac doesn’t appear to be in China, it surreptitiously downloads and runs the second-stage payload. The payload is an app that hides in the user’s home folder; its name starts with a period character so it won’t be visible in the macOS Finder.<\/p>\n The app then collects information about the infected Mac and sends them to a Telegram user. It then starts watching for any Bitcoin, Ethereum, or TRON crypto private keys the user may copy to the clipboard. If the victim happens to copy one, the malware exfiltrates it to the malware developer via Telegram.<\/p>\n The malware also checks the Mac for common Google Chrome cryptocurrency wallet extensions. If it finds any, it creates a compressed archive and exfiltrates them to the attacker’s FTP server.<\/p>\n Sometime after these initial stages, an attacker may leverage the software’s backdoor functionality. They may manually send commands and remotely control the infected Mac.<\/p>\n Sometime after the original write-up went live, the operators of the CloudChat site evidently removed the malicious version of the Mac app.<\/p>\n Instead of the malicious version that they apparently created on April 2, 2024, they reverted back to an old version. As of when this article is being published, the app that the site is currently distributing via its CloudChat.dmg appears to have been created on June 22, 2022. It was first uploaded to VirusTotal on July 2, 2023.<\/p>\n The official CloudChat site throws around a lot of buzzwords to give the perception of being safe; they claim it “provides you with a safe social life service,” that it’s “private and secure social,” “is encrypted,” “[protects] your messages, files, etc. from hackers,” and lets you exchange “encrypted personal and trade secrets.”<\/p>\n But should you trust the current (old) version of the app? No, absolutely not. Even in the best-case scenario\u2014giving the developer the benefit of the doubt and assuming their site had been hacked\u2014there are far too many red flags.<\/p>\n While the newer (confirmed to be malware) version of the app was self-signed, the older version is not even code-signed at all. Normally, legitimate developers get an Apple Developer ID and have Apple notarize their apps before distributing them.<\/p>\n The site offers no way to contact the company via telephone, e-mail, or form; there’s just a line in the User Agreement stating that “you can contact us through the official channel of CloudChat.” Obviously, that isn’t feasible if you don’t trust the app enough to install it in the first place.<\/p>\n And there’s absolutely zero detail about the encryption they supposedly use.<\/p>\n These are just some of the red flags; this is by no means even a comprehensive list.<\/p>\n It’s best to stick with trusted chat applications\u2014ideally one that uses end-to-end encryption by default.<\/p>\n If you just need to message other iPhone or Mac users, Apple’s own iMessage<\/strong> is a great solution.<\/p>\n As for cross-platform options, Signal<\/strong> and Threema<\/strong> are among the most trusted options.\u00a0WhatsApp<\/strong> is another popular app that offers encrypted chats (using Signal’s technology); however, Meta owns WhatsApp, along with Facebook and Instagram, and the company doesn’t have the best track record on privacy.<\/p>\n Learn more about these and other legitimate messaging apps in our article about encrypted messaging apps for Mac, iPhone, and iPad<\/a>.<\/p>\n 5 Encrypted Messaging Apps for Mac, iPhone, and iPad<\/a><\/p><\/blockquote>\nWhat happened after the researchers published their write-up?<\/h3>\n
Malware aside, is CloudChat trustworthy?<\/h3>\n
Which chat apps are actually safe to use?<\/h3>\n