TransmissionJust five months after Transmission was infected with the first "ransomware" ever found on the Mac, the popular BitTorrent client is again at the center of newly uncovered OS X malware.

Researchers at security website We Live Security have discovered the malware, called OSX/Keydnap, was spread through a recompiled version of Transmission temporarily distributed through the client's official website.

OSX/Keydnap executes itself in a similar manner as the previous Transmission ransomware KeRanger, by adding a malicious block of code to the main function of the app, according to the researchers. Likewise, they said a legitimate code signing key was used to sign the malicious Transmission app, different from the legitimate Transmission certificate, but still signed by Apple and thereby able to bypass Gatekeeper on OS X.

The researchers said they notified the Transmission team about the malware, and within minutes they removed the malicious file from their web server and launched an investigation. The researchers believe the infected Transmission app was signed on August 28 and distributed only on August 29, and thus recommend anyone who downloaded version 2.92 of the app between those dates to verify if their system is compromised by checking for the presence of any of the following files or directories:

  • /Applications/Transmission.app/Contents/Resources/License.rtf

  • /Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf

  • $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd

  • $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id

  • $HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist

  • /Library/Application Support/com.apple.iCloud.sync.daemon/

  • $HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist

Transmission version 2.92 remains available through the software's update mechanism.

Top Rated Comments

Picka Avatar
60 months ago
uTorrent FTW...
Said no one. Ever.
Score: 29 Votes (Like | Disagree)
sualpine Avatar
60 months ago
This wouldn't happen if torrent apps were allowed in the App Store.
Score: 25 Votes (Like | Disagree)
Scellow Avatar
60 months ago
uTorrent FTW...
utorrent is worse
Score: 17 Votes (Like | Disagree)
keysofanxiety Avatar
60 months ago
Come on, guys. Secure your server already.
Sources say that the armoured gerbil protecting the server room was distracted by a morsel of cheese.
Score: 12 Votes (Like | Disagree)
Makosuke Avatar
60 months ago
Transmission is an extremely polished client, so it's rather disappointing that they've managed to get their official builds, distributed from their own website, built with malware twice now. That does not speak well, at all, to how they maintain either their servers or their dev team.

An aside to those ragging on BitTorrent:

First, there are surprisingly enough some legit things that are now distributed primarily or exclusively through BT. I needed to get Transmission running to download ATI's tech demo package recently.

And second, while its obviously heavily abused to pirate content, there is also a huge grey area of technically-not-okay things that don't really fall into the standard bin of piracy. Example: J-dramas. While this has been improving (mostly Crunchyroll and, for K-dramas, Hulu) there are still many, particularly older ones, that have never been licensed or officially released outside Japan, so while there's always the "market poisoning" question if somebody does consider licensing in the future, there's currently no legitimate way to view them if you live in the US, and since there is no official distributor in this country there's also nobody defending the copyrights. Conversely, it's quite likely that if there was no underground scene of fansubbing and distributing J-dramas illegally, there would be almost none of the interest that makes a legit service like Crunchyroll possible.
Score: 11 Votes (Like | Disagree)
ActionableMango Avatar
60 months ago
I'm glad I don't use these types of apps. I don't need the headaches of potentially getting malicious software on my machines.
I don't see what the "type of app" has to do with anything.

According to the article, the app developer had their server compromised in such a way that the download for the legitimate app was replaced with one recompiled to include malware. Presumably this could happen to any company or any type of app. Similar things have happened to many other companies, small and large, for many types of applications, including Apple's App Store:

https://www.wired.com/2015/09/apple-removes-300-infected-apps-app-store/
Score: 8 Votes (Like | Disagree)

Top Stories

apple event spring loaded

Apple's 'Spring Loaded' Event Officially Announced for Tuesday, April 20

Tuesday April 13, 2021 9:04 am PDT by
Following an overnight leak by Siri, Apple today officially announced that it will be holding a special "Spring Loaded" event on Tuesday, April 20 at 10:00 a.m. Pacific Time at the Steve Jobs Theater on the Apple Park campus in Cupertino, California. As with all of Apple's 2020 events, the April 2021 event will be a digital-only gathering with no members of the media invited to attend in...
iphone12cameras

Kuo: 2022 iPhones to Feature 48-Megapixel Camera, 8K Video, and 6.1 and 6.7" Sizes With No 5.4" Mini Option

Tuesday April 13, 2021 10:45 pm PDT by
The upcoming 2022 iPhone lineup will feature two 6.1-inch devices and two 6.7-inch devices, with no mini-sized 5.4-inch iPhone, well-respected Apple analyst Ming-Chi Kuo said in a note to investors that was seen by MacRumors. Two of the iPhones will be high-end models and two of the iPhones will be lower-end models, similar to the current iPhone 12 lineup. Apple introduced the 5.4-inch...
macos catalina serial number

Apple Preparing Rollout of New Randomized Product Serial Numbers Ahead of 'Spring Loaded' Event

Wednesday April 14, 2021 2:08 am PDT by
Apple is advising its authorized premium resellers and dealers to prepare for new products with 10 and 12 digital serial numbers, days ahead of when it's expected to reveal a slew of new products. MacRumors previously reported that Apple plans to switch to randomized serial numbers for future products starting in early 2021. The company now seems to be preparing for that roll-out, telling...
apple event particularly innovative article

Gurman: Apple's 'Spring Loaded' Event Won't Feature Anything 'Particularly Innovative'

Thursday April 15, 2021 1:30 am PDT by
Bloomberg's highly-respected Mark Gurman says that he expects nothing "particularly innovative" or "extraordinary" to launch at Apple's "Spring Loaded" event next week, Tuesday, April 20. Gurman made the remarks during an interview for Bloomberg Technology, in which he reaffirmed that Apple will launch a new 11-inch and 12.9-inch iPad Pro, with the higher-end model featuring a brand new...
duanrui iphone13 notch samples

More Leaked iPhone 13 Samples Show Smaller Notch, Repositioned Earpiece and Front Camera

Wednesday April 14, 2021 1:06 am PDT by
Leaker known as "DuanRui" has today shared an image of two iPhone 13 "film samples," which show the same rumored smaller notch design coming to the iPhone 13 series that we've seen from other sources. In past tweets, DuanRui has accurately leaked the correct names of the iPhone 12 models and an iPad Air 4 manual revealing its new design, so there's good reason to think this leak is credible, ...
siir apple event april 20

Siri Reveals Apple Event Planned for Tuesday, April 20

Tuesday April 13, 2021 12:04 am PDT by
Siri has apparently prematurely revealed that Apple plans to hold an event on Tuesday, April 20, where the company is expected to reveal brand new iPad Pro models and possibly its long-awaited AirTags trackers. Subscribe to the MacRumors YouTube channel for more videos. Upon being asked "When is the next Apple Event," Siri is currently responding with, "The special event is on Tuesday, April...
apple event hashflag

Twitter Hashflag for April 20 Apple Event Goes Live

Tuesday April 13, 2021 2:21 pm PDT by
Following the overnight Siri leak and subsequent announcement that Apple will hold a media event on Tuesday, April 20, a new Twitter hashflag has appeared to help provide visibility for the event on the platform. For the last several recent events, Apple has utilized hashflags, which are little icons next to hashtags on Twitter, as a way to market its events. The company first started the...
parallels windows 10 arm mac

Parallels 16.5 Can Virtualize ARM Windows Natively on M1 Macs With Up to 30% Faster Performance

Wednesday April 14, 2021 7:00 am PDT by
Parallels today announced the release of Parallels Desktop 16.5 for Mac with full support for M1 Macs, allowing for the Windows 10 ARM Insider Preview and ARM-based Linux distributions to be run in a virtual machine at native speeds on M1 Macs. Parallels says running a Windows 10 ARM Insider Preview virtual machine natively on an M1 Mac results in up to 30 percent better performance compared ...
iphone 13 pro render rear

iPhone 13 Pro Rumored to Be Thicker and Feature Larger Rear Camera System

Wednesday April 14, 2021 7:07 am PDT by
Tech blog 91Mobiles has obtained 3D renders of what it claims will be the iPhone 13 Pro, revealing a largely familiar design with a few notable changes, including a smaller notch and a significantly larger rear camera system. Following renders of the standard iPhone 13 model from MySmartPrice yesterday, which showed a new diagonal rear camera layout, these renders of the 6.1-inch iPhone 13...
third gen Apple pencil leaked video

Video of Alleged Third-Generation Apple Pencil Leaks Ahead of Apple Event

Friday April 16, 2021 6:13 am PDT by
A video purporting to be of the third-generation Apple Pencil has today been shared online, showing a glossy finish that mirrors previous leaks. New ✏️ ready to 🚢 #AppleEvent @TommyBo50387266 pic.twitter.com/s4RCDwDi5M— 漢尼斯·拉斯納 🇨🇳 (@ileakeer) April 16, 2021 The brief video from Twitter account @ileakeer, spotted by 9to5Mac, shows an Apple Pencil with a glossy finish much like the...