Skip to Content

Researchers Discover Malware That Targets Apple Mac Computers and Cryptocurrency Exchanges

If you ever check bitcoin prices on a cryptocurrency exchange, make sure you delete your digital cookies. Failing to do so may put your personal data like passwords, credit card information, and saved iPhone text messages on your Mac computer at risk of being accessed by hackers.

Cybersecurity researchers from Palo Alto Networks published research on Thursday detailing the security firm’s discovery of new malware that affects Apple’s Mac OS, or operating system. The malware, dubbed CookieMiner, appears to be a variant of the similar OSX.DarthMiner malware that security firm Malwarebytes discovered in December that also targets Apple personal computers, said Jen Miller-Osborn, a deputy director of threat intelligence at Palo Alto Networks and its Unit 42 research team.

Like the older malware, the CookieMiner malware can modify computers so that they covertly install software for the purpose of cryptocurrency mining, in which computers perform online calculations to assist in authenticating cryptocurriency transactions; doing so also generates digital tokens for the user as a reward. In this case, the CookieMiner malware will cause computers to “mine Koto, a lesser-known cryptocurrency that is associated with Japan,” the report said.

What’s different is that the newer CookieMiner lets hackers steal people’s digital cookies in both Apple Safari and Google Chrome browsers. Cryptocurrency exchanges like Coinbase, Binance, and Bitstamp use cookies to temporarily track users who visit the sites.

Additionally, the malware can steal a person’s saved usernames, passwords, and financial information if that data is saved on the Chrome browser, but not the Safari browser (the researchers didn’t examine Firefox or Microsoft’s Edge browser). Miller-Osborn suspects that hackers developed CookieMiner to do more damage on Google Chrome than Safari because of Chrome’s popularity.

With access to so much user data plus the cryptocurrency-related digital cookies, hackers could sneak into people’s cryptocurrency exchange accounts to withdraw money, a process that the research report said “may be a more efficient way to generate profits than outright cryptocurrency mining.”

Unfortunately, Miller-Osborn said it’s unclear which shady apps are infected with the CookieMiner malware. Palo Alto Networks only knows that it exists, and the firm contacted various cryptocurrency exchanges, along with Apple and Google, about the issue, which she said supported the firm publishing its research.

The older OSX.DarthMiner malware was found in fake apps disguised to look like they had been sanctioned from Photoshop-maker Adobe, Malwarebytes said in December.

Get Data Sheet, Fortune’s technology newsletter.

Miller-Osborn said it’s likely that the CookieMiner malware is in malicious apps that are distributed outside the Apple App store, because criminals typically want to avoid Apple detecting their scam software through its review process.

As a recommendation, Miller-Osborn said people should never store any personal information like passwords or usernames in their web browsers. She also said that people should clear their cookies “especially when visiting financial accounts.” Although it’s become standard practice for website operators to limit the amount of time cookies remain active, people shouldn’t assume that’s always the case.

As to why Palo Alto Networks decided to publish its findings, Miller-Osborn explained that the firm wanted to show the public that there can still be major security flaws affecting Mac computers, despite the reputation that Apple computers are safer.

“There is this fallacy that Macs can’t be compromised,” Miller-Osborn said. “When you look at [PC] marketshare, Windows has the most of it so naturally Windows gets the most attention.”