We recently discovered a new campaign of this kind targeting Apple computers running newer versions of macOS (13.6 and later) and leveraging certain Domain Name System (DNS) features for downloading malicious payloads. Victims are offered to download cracked versions of popular apps for free. So what’s in store for those who give in to temptation?

Fake activation

After downloading a disk image purportedly containing the cracked app, the victim is prompted to copy two files to the Applications folder: the app itself, and a so-called “activator”. If you just copy and launch the app, it won’t run. According to the manual, the cracked app must be “activated” first. Our analysis found that the activator doesn’t do anything sophisticated: it simply removes several bytes from the beginning of the application executable to make it functional. In other words, the cybercriminals have modified a pre-cracked app to prevent it from running unless it’s “activated” first. To no one’s surprise, the activator has a nasty side-effect: it asks for admin permissions when it runs, and uses those to install a downloader script in the system. The script then downloads from the web a further payload — a backdoor that requests commands from its operators every now and then.

Installation manual, activator window, and prompt for administrator password

Linking via DNS

To download the malicious script, the activator employs a tool that’s both exotic and innocent-looking: the Domain Name System (DNS). We wrote about DNS and Secure DNS earlier, but we left out an interesting technical feature of the service. Each DNS record not only links the internet name of a server with its IP address, but can also contain a free-form text description of the server — called a TXT record. This is what the malicious actors exploited by embedding snippets of malicious code within TXT records. The activator downloads three TXT records belonging to a malicious domain and assembles a script from these.

Although seemingly complicated, the setup has a number of advantages. To start with, the activator does nothing particularly suspicious: any web application requests DNS records — this is how any communication session has to begin. Secondly, the malicious actors can easily update the script to modify the infection pattern and the final payload by editing the TXT records of the domain. And finally, removing malicious content from the Web is no easy task due to the distributed nature of the Domain Name System. Internet service providers and companies would find it hard to even detect the violation of their policies because each of these TXT records is just a snippet of malicious code that poses no threat in and of itself.

The final boss

The periodically-running download script allows the attackers to update the malicious payload and perform whatever actions they want on the victim’s computer. At the time of our analysis, they showed interest in stealing crypto. The backdoor automatically scans the victim’s computer for Exodus or Bitcoin wallets, and replaces these with trojanized versions. An infected Exodus wallet steals the user’s seed phrase, and an infected Bitcoin wallet — the encryption key that’s used to encrypt private keys. The latter gives the attackers the ability to sign transfers on behalf of the victim. This is how one can try to save a few dozen dollars on pirated apps — only to lose a vastly larger amount in crypto.

Protecting yourself against an attack on crypto wallets

This isn’t novel but still true: to keep away from this threat and avoid becoming a victim, download apps from official marketplaces only. Before downloading an app from a developer’s website, make sure it’s the genuine item and not from one of many phishing sites.

If you’re thinking of downloading a cracked version of an app, think again. “Scrupulous and trustworthy” pirating sites are about as rare as elves and unicorns.

No matter how highly you think of your computer literacy, caution, and attention to detail, be sure to use comprehensive security on all your devices: phones, tablets, and computers. Kaspersky Premium is a good cross-platform solution. Check that all basic and advanced security features are enabled. As for crypto owners, in addition to the above, we suggest reading our detailed instructions on protecting both hot and cold crypto wallets.

All the same, malware creators do occasionally sneak under the App Store’s radar. This post examines three fraudulent apps we’ve found in the official Apple store, and what precautions you can take to avoid a financial hit.

Scam apps in the App Store

The three we’ve found all share a common theme: investment. If the descriptions are to be believed, two are for tracking the current value of cryptocurrency assets. The third seems to be some kind of investment game, which, I quote, “plunges you into the world of financial decisions, making you feel like a real office worker. You will have to make complex financial decisions that will affect your character’s mood and the state of their wallet”.

Scam apps we’ve found in the App Store

When the user opens any of these apps almost anywhere in the world, the program, having checked the location by IP address, shows what was promised in the description: either a simple app for tracking cryptocurrencies, or a mini-game with multiple-choice questions.

But if the user is in Russia, however, the app downloads far less innocuous phishing content. First, the victim is promised a decent income of at least $1000 a month. What’s more, you can start investing supposedly with small amounts — “from $110” — and expect your first profit “in just a few days”; access to the platform is, of course, free.

The promises of fabulous riches are followed by a rather long and detailed questionnaire. The scammers’ aim here is to get you to “invest” a certain amount of time and effort in the process; this is so that, come the key stage of the scam, the victim will be reluctant to give up that investment.

The culmination is a form asking for your first name, surname, and phone number so that “an investment platform specialist can be in touch”. Once the contact information is sent, the phishers promise to call you shortly.

And they’re true to their word. According to user reviews in the App Store, during the phone call with the “specialist”, the hapless user is persuaded to “invest” a certain amount in a highly dubious financial project. The outcome isn’t hard to predict: the fantastic payback never materializes, and the victim’s investment disappears.

Although user reviews of all three malicious apps warn about fraud, only when we reported them did the App Store moderators sit up and take notice. At the time of posting, all three apps have been removed from the App Store.

But how did they even get there in the first place? We can’t give a definite answer, of course — only Apple itself can do so after a thorough investigation. We can only assume that when the apps were being moderated, they only displayed harmless content since they were designed to download the phishing questionnaire from the internet as a regular HTML page. And then, after the apps had been approved and placed in Apple’s official store, the scammers modified the uploaded content.

How to stay safe

The iOS architecture is built to keep user apps as isolated as possible from the rest of a device’s system and also user data. Because of this, there’s no way to create a “classic” antivirus for iOS: it simply won’t have the necessary access to other programs and data running in the system. Apple works on the assumption that App Store moderation protects against malicious apps such as these. But, as we now see, its safeguards can be bypassed by substituting uploaded content with phishing once the app is approved. And because the App Store currently hosts around two million apps, the moderators simply don’t have time to respond quickly to user complaints.

Therefore, the next line of defense becomes all-important. Kaspersky: VPN & Antivirus for iOS with Plus and Premium subscriptions analyzes traffic and promptly detects attempts to open phishing sites on your device. Dangerous pages get blocked straight away and a warning is displayed.

Here’s how Kaspersky: VPN & Antivirus for iOS responds to an attempt by a scam app in the App Store to download phishing content

And although all the scam apps we found this time around singled out users in Russia, the same technologies could just as well be used to target any audience in any country in the world — the only question is when. So, as you can see, iOS needs protection just as much as Android.