Another chink has developed in the Apple operating system’s usually tough ability to ward off cybersecurity issues with a new cryptocurrency miner being discovered that is hitting macOS devices.
The process hiding the XMRig Monero miner is named mshelper and was first reported on several Apple user forums when Mac owners found their processors maxed out and batteries being sucked dry. A study by Thomas Reed, a Malwarebytes researcher, of the issue found mshelper is in fact a cryptominer that is likely being installed via a fake Adobe Flash Player or downloads from unofficial sites. The actual dropper, or malware installer, has not yet been found, but Malwarebytes was able to unearth a few clues surround the malware.
The launcher, named pplauncher, is kept running by a launch daemon (com.pplauncher.plist), which indicates to Reed that the dropper must have had root privileges. And the process labeled mshelper is, in fact, an older version of XMRig, Reed said, adding the miner itself is not dangerous other than fully utilizing the device’s processor.
“Mac cryptomining malware has been on the rise recently, just as in the Windows world. This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate. I’d rather be infected with a cryptominer than some other kind of malware, but that doesn’t make it a good thing,” Reed said.