Security firm discovers spyware in Mac software

Intego, makers of security and privacy apps for the Mac, warned on Tuesday that some Mac software include a new piece of invasive spyware. Macworld has obtained a preliminary list of the applications with the spyware.

In a press release, Intego states that a number of apps and screen savers distributed through sites like MacUpdate, VersionTracker, and Softpedia are installing a little more software than users bargain for; Apple's Mac OS X Downloads site also contained entries for some of the apps, though the download links appear to now be inactive. The spyware in question is called OSX/OpinionSpy and it's a variant of Windows spyware that has existed since 2008.

As to the spyware's invasive actions, it allegedly dupes users into handing over their admin passwords with a dialog claiming that it "market research" software will be installed to collect browsing and purchasing history. OSX/OpinionSpy then installs a process called "PremierOpinion" that runs as root. Intego says the spyware then opens an HTTP backdoor on port 8254, scans all accessible local and networked volumes, and injects code into Safari, Firefox, and iChat in memory (meaning it doesn't alter the applications themselves). It also regularly transmits encrypted data to a variety of servers, which contains e-mail addresses, iChat message headers, and URLs--as well as potentially personal data like usernames, passwords, credit card numbers, bookmarks, and browsing history.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Intego, makers of security and privacy apps for the Mac, warned on Tuesday that some Mac software include a new piece of invasive spyware. Macworld has obtained a preliminary list of the applications with the spyware.

In a press release, Intego states that a number of apps and screen savers distributed through sites like MacUpdate, VersionTracker, and Softpedia are installing a little more software than users bargain for; Apple's Mac OS X Downloads site also contained entries for some of the apps, though the download links appear to now be inactive. The spyware in question is called OSX/OpinionSpy and it's a variant of Windows spyware that has existed since 2008.

As to the spyware's invasive actions, it allegedly dupes users into handing over their admin passwords with a dialog claiming that it "market research" software will be installed to collect browsing and purchasing history. OSX/OpinionSpy then installs a process called "PremierOpinion" that runs as root. Intego says the spyware then opens an HTTP backdoor on port 8254, scans all accessible local and networked volumes, and injects code into Safari, Firefox, and iChat in memory (meaning it doesn't alter the applications themselves). It also regularly transmits encrypted data to a variety of servers, which contains e-mail addresses, iChat message headers, and URLs--as well as potentially personal data like usernames, passwords, credit card numbers, bookmarks, and browsing history.

OSX/OpinionSpy can also upgrade itself automatically with no user intervention and relaunch itself via Mac OS X's launchd, the system-wide process that manages a number of automated systems, background daemons, and launch processes. Furthermore, upon uninstalling the original program, OSX/OpinionSpy remains installed on your Mac.

So far, Intego has found OSX/OpinionSpy in one application--MishInc FLV To Mp3--and a number of screensavers (here's a MacUpdate example link) that are all made by 7art-screensavers:

• Secret Land ScreenSaver v.2.8
• Color Therapy Clock ScreenSaver v.2.8
• 7art Foliage Clock ScreenSaver v.2.8
• Nature Harmony Clock ScreenSaver v.2.8
• Fiesta Clock ScreenSaver v.2.8
• Fractal Sun Clock ScreenSaver v.2.8
• Full Moon Clock ScreenSaver v.2.8
• Sky Flight Clock ScreenSaverv.2.8
• Sunny Bubbles Clock ScreenSaver v.2.9
• Everlasting Flowering Clock ScreenSaver v.2.8
• Magic Forest Clock ScreenSaver v.2.8
• Freezelight Clock ScreenSaver v.2.9
• Precious Stone Clock ScreenSaver v.2.8
• Silver Snow Clock ScreenSaver v.2.8
• Water Color Clock ScreenSaver v.2.8
• Love Dance Clock ScreenSaver v.2.8
• Galaxy Rhythm Clock ScreenSaver v.2.8
• 7art Eternal Love Clock ScreenSaver v.2.8
• Fire Element Clock ScreenSaver v.2.8
• Water Element Clock ScreenSaver v.2.8
• Emerald Clock ScreenSaver v.2.8
• Radiating Clock ScreenSaver v.2.8
• Rocket Clock ScreenSaver v.2.8
• Serenity Clock ScreenSaver v.2.8
• Gravity Free Clock ScreenSaver v.2.8
• Crystal Clock ScreenSaver v.2.6
• One World Clock ScreenSaver v.2.8
• Sky Watch ScreenSaver v.2.8
• Lighthouse Clock ScreenSaver v.2.8

PremierOpinion, an "elite research community" that provides the namesake software, offers a privacy policy, a snippet of which is a bit alarming: