Industry News

Running Firefox, OnyX or Deeper on your Mac? You might be mining cryptocurrency for a hacker

Three widely used Mac apps infected with cryptocurrency miners have been flagged by security researchers this week. The programs, distributed through third-party aggregators (i.e. not the official Mac App Store), need to be immediately uninstalled if users are to stay out of harm’s way.

Earlier this week, researchers found fake or otherwise modified versions of Mozilla’s Firefox web browser, as well as system tools OnyX and Deeper, infected with cryptocurrency-mining malware targeting Macs. The modified apps were distributed through MacUpdate, a third-party Mac software aggregator.

Deeper is a personalization utility and OnyX is a popular maintenance tool. Both apps were created by veteran development studio Titanium Software.

Dubbed OSX.CreativeUpdate, the malware spread through hacked pages on MacUpdate. OSX.CreativeUpdate is a Trojan that, once installed, downloads its cryptocurrency mining component. The miner hijacks the Mac’s processor to generate digital “coins” that go straight to the attacker’s wallet.

A spokesperson for MacUpdate confirms the hack in a comment on all three infected download pages.

“If you have installed-and-run Firefox 58.0.2, OnyX, or Deeper since 1 February 2018, please accept my apologies, but you will need to follow these steps to remove a bitcoin miner which hacked versions of those apps,” writes the person, identified only as Jess. “This is not the fault of the respective developers, so please do not blame them. The fault is entirely mine for having been fooled by the hackers.”

In short, if you’ve downloaded any of these three apps through MacUpdate as of late, you need to trash them.

However, just deleting the app binaries is not enough. As power users should know, when new software is installed, MacOS makes room for additional application resources in different parts of the system – specifically, the Library folder. So, even if you delete the app itself, some leftovers might remain in this directory.

Case in point – according to Jess, users need to follow these exact steps to eliminate any potential infection with OSX.CreativeUpdate:

  • Delete any copies of the above titles you might have installed.
  • Download and install fresh copies of the titles.
  • In Finder, open a window for your home directory (Cmd-Shift-H).
  • If the Library folder is not displayed, hold down the Option/Alt key, click on the “Go” menu, and select “Library (Cmd-Shift-L)”.
  • Scroll down to find the “mdworker” folder (~/Library/mdworker/).
  • Delete the entire folder.
  • Scroll down to find the “LaunchAgents” folder (~/Library/LaunchAgents/).
  • From that folder, delete “MacOS.plist” and “MacOSupdate.plist” (~/Library/LaunchAgents/MacOS.plist and ~/Library/LaunchAgents/MacOSupdate.plist).
  • Empty the Trash.
  • Restart your system.

The web site says it already fixed the pages for Firefox, Onyx and Deeper. A lot of Mac owners make use of the vast software library that is MacUpdate. However, we advise downloading your third-party software either from the developer’s web site or through Apple’s curated Mac App Store. For more peace of mind, run Bitdefender Antivirus for Mac, which classifies cryptocurrency miners as malware and blocks them as such.

About the author


Filip is an experienced writer with over a decade of practice in the technology realm. He has covered a wide range of topics in such industries as gaming, software, hardware and cyber-security, and has worked in various B2B and B2C marketing roles. Filip currently serves as Information Security Analyst with Bitdefender.