Did you download and install any Mac software from the MacUpdate site on the first or second of February? If so – and particularly if the app was Firefox 58.0.2, OnyX, or Deeper – you may well have installed a malicious cryptocurrency miner, which has been dubbed OSX.CreativeUpdate.
A full account of this, and of the malicious software, has been provided by Thomas Reed of Malwarebytes.
Shockingly, there is no warning on the MacUpdate front page, nor in its Support pages. The only mention you will see at MacUpdate is in comments added to the three downloads which are known to have been affected. Jess, one of MacUpdate’s editors, admits being duped into providing the malicious software as if it were genuine product downloads.
This issue does not affect copies of these products downloaded direct from their own websites, and probably doesn’t affect copies downloaded from sites others than MacUpdate, although the latter has yet to be confirmed.
If you have installed and run any of the affected apps, then they will have downloaded additional malicious software, which may in turn have started to use your Mac to mine for Monero crypto-currency. Reed explains that the malicious app was developed with some major flaws which rendered it ineffective on many Macs. However, you should still treat this as a full malware infection.
Although it is thought to be confined to Firefox 58.0.2, OnyX, and Deeper downloaded from MacUpdate on 1st and 2nd February 2018, on further investigation it may be that it affects other apps downloaded from MacUpdate, possibly even from other download aggregation services. Both Thomas Reed and Patrick Wardle point out that this is not the first time that MacUpdate has inadvertently provided its users with malware. However, downloading updates direct from developers’ sites is also far from risk-free.
What is most shocking in this case is MacUpdate’s almost secretive approach to its error. It demonstrates that MacUpdate’s processes for verifying the integrity of the products which it distributes are broken, and that it fails to draw customers’ attention to such a major security failure. If you use MacUpdate or any other download aggregation service to obtain software or updates, you will want to review that practice.
By an odd coincidence, a reader here had recently suggested that I provide my free software through MacUpdate. After this, I confirm that I will not be providing any of my apps via MacUpdate or any other update aggregation service, only by direct download from the Downloads page here. If you see them offered elsewhere, note that those are unofficial sources and may well be malicious.
You can’t be too careful.
Postscript: I have now posted further analysis and comment in this article.