Beware if you’re looking to download popular apps like Loom, LedgerLive, or the game Black Desert Online. A well-organized group of cybercriminals is using booby-trapped copies of these software to infect Macs with a deadly data-stealing malware.
Stealthy malware promoted via Google ads
The disturbing campaign was discovered by cybersecurity firm Moonlock, a division of MacPaw (the maker of CleanMyMac). It all started when its researchers spotted a seemingly legitimate Google ad for the video capture app Loom.
By clicking on it, the user is redirected to a site that perfectly imitates Loom’s. But the download link does not provide the real app, it quietly installs a thieving Trojan horse on the Mac. Above all, macOS — at least version 14 — does not see anything wrong and considers that these infected applications are completely legitimate.
From Loom to LedgerLive, many apps have been copied
As Moonlock dug deeper, he discovered that the campaign wasn’t limited to Loom. The crooks created fake versions of a dozen popular apps, including Zoom, Chrome, Figma, and LedgerLive.
The LedgerLive case is particularly vicious. The malware replaces the real app with a nearly undetectable malicious copy. It can thus remotely empty victims’ cryptocurrency wallets.
YouTube creators in the crosshairs
Hackers are also targeting YouTube content creators with a fake “creator-specific” download link for the game Black Desert Online. The goal is likely to hijack channels to broadcast crypto scams live. They do this by posing as game publishers asking for business collaboration, sending a tainted app pretending to be a demo, and that’s it.
According to Moonlock, this vast campaign is the work of a group called Crazy Evil. It is actively recruiting accomplices on the Dark Web to spread its formidable multi-functional malware.
Moral: only download your apps from the Mac App Store or the publishers’ official websites. And always check that the URL doesn’t change insidiously when you click on the download link. Most antiviruses detect and neutralize the flaw, especially since Moonlock was publicly released. Apple should soon release a security update, as usual. In any case, caution is the mother of safety!