Intego, makers of security and privacy apps for the Mac, warned on Tuesday that some Mac software include a new piece of invasive spyware. Macworld has obtained a preliminary list of the applications with the spyware.
In a press release, Intego states that a number of apps and screen savers distributed through sites like MacUpdate, VersionTracker, and Softpedia are installing a little more software than users bargain for; Apple’s Mac OS X Downloads site also contained entries for some of the apps, though the download links appear to now be inactive. The spyware in question is called OSX/OpinionSpy and it’s a variant of Windows spyware that has existed since 2008.
As to the spyware’s invasive actions, it allegedly dupes users into handing over their admin passwords with a dialog claiming that it "market research" software will be installed to collect browsing and purchasing history. OSX/OpinionSpy then installs a process called “PremierOpinion” that runs as root. Intego says the spyware then opens an HTTP backdoor on port 8254, scans all accessible local and networked volumes, and injects code into Safari, Firefox, and iChat in memory (meaning it doesn’t alter the applications themselves). It also regularly transmits encrypted data to a variety of servers, which contains e-mail addresses, iChat message headers, and URLs—as well as potentially personal data like usernames, passwords, credit card numbers, bookmarks, and browsing history.
OSX/OpinionSpy can also upgrade itself automatically with no user intervention and relaunch itself via Mac OS X’s launchd, the system-wide process that manages a number of automated systems, background daemons, and launch processes. Furthermore, upon uninstalling the original program, OSX/OpinionSpy remains installed on your Mac.
So far, Intego has found OSX/OpinionSpy in one application—MishInc FLV To Mp3—and a number of screensavers (here's a MacUpdate example link) that are all made by 7art-screensavers:
- Secret Land ScreenSaver v.2.8
- Color Therapy Clock ScreenSaver v.2.8
- 7art Foliage Clock ScreenSaver v.2.8
- Nature Harmony Clock ScreenSaver v.2.8
- Fiesta Clock ScreenSaver v.2.8
- Fractal Sun Clock ScreenSaver v.2.8
- Full Moon Clock ScreenSaver v.2.8
- Sky Flight Clock ScreenSaverv.2.8
- Sunny Bubbles Clock ScreenSaver v.2.9
- Everlasting Flowering Clock ScreenSaver v.2.8
- Magic Forest Clock ScreenSaver v.2.8
- Freezelight Clock ScreenSaver v.2.9
- Precious Stone Clock ScreenSaver v.2.8
- Silver Snow Clock ScreenSaver v.2.8
- Water Color Clock ScreenSaver v.2.8
- Love Dance Clock ScreenSaver v.2.8
- Galaxy Rhythm Clock ScreenSaver v.2.8
- 7art Eternal Love Clock ScreenSaver v.2.8
- Fire Element Clock ScreenSaver v.2.8
- Water Element Clock ScreenSaver v.2.8
- Emerald Clock ScreenSaver v.2.8
- Radiating Clock ScreenSaver v.2.8
- Rocket Clock ScreenSaver v.2.8
- Serenity Clock ScreenSaver v.2.8
- Gravity Free Clock ScreenSaver v.2.8
- Crystal Clock ScreenSaver v.2.6
- One World Clock ScreenSaver v.2.8
- Sky Watch ScreenSaver v.2.8
- Lighthouse Clock ScreenSaver v.2.8
For certain commercial customers, we may provide individual-level information. We make this data available so that these customers may enhance their own understanding of Internet usage and online commercial trends. In all cases, we make commercially viable efforts to automatically filter confidential personally identifiable information such as UserID, password, credit card numbers, and account numbers from the data being provided.
While the policy also states that “customers” can opt out of the program at any time, it only offers uninstall instructions for Windows, not Mac OS X. It also explains that PremierOpinion gave OSX/OpinionSpy the ability to analyze, repair, or reinstall itself out of concerns over system stability, in case third-party software does more harm than good while attempting to remove it.
That said, Intego claims that as long as VirusBarrier X5 and X6 users update to the latest version of its threat filters, released May 31, 2010, its software should be able to remove OSX/OpinionSpy successfully.