Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Elmedia Player and Folx installers infected by OSX/Proton credential-stealing malware on Oct. 19

Last updated

Popular media consumption application Elmedia Player and downloading tool Folx were both briefly infected with the Proton malware strain, with most installers of the software on Oct. 19 now infected.

Security firm researchers from ESET reported on Friday that the free Elmedia Player installer had been compromised for a period of time on Oct. 19 with the malware. The malware piggy-backed on the legitimate installer, in much the same way that the malware rode in on installs of media transcoding tool Handbrake in May — but using a legitimate developer ID for a certificate this time.

The binary substituted for the legitimate one was signed by a developer ID with the name "Clifon Grimm." The provenance of the ID is unclear, but it was legitimate before Apple revoked the certificate.

Users who downloaded the installers and executed them on Oct. 19 before 3:15 PM are "likely compromised" according to ESET. It is not clear how many users were infected.

"As with any compromise with an administrator account, a full OS reinstall is the only sure way to get rid of the malware," wrote ESET. "Victims should also assume that the secrets ... are compromised and take appropriate measures to invalidate them."

Secrets listed by ESET include operating system data including System Integrity Protection status and some location information, a wide array of browser data including cookies and login data, cryptocurrency wallets, SSH private data, macOS Keychain data, 1Password data, and a list of installed applications.

The full installers for Elmedia Player and Folx were contaminated with the malware. Applications updated through the built-in mechanism during the time period in question are apparently unaffected.

The presence of any or all of the folllowing files indicates an attack by OSX/Proton:

/tmp/Updater.app/

/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist

/Library/.rand/

/Library/.rand/updateragent.app/

"Proton" is a remote access trojan (RAT) aimed at macOS systems. Written in Objective C, allowing it to run without any dependencies, the malware is marketed by the creator as a "professional FUD surveillance and control solution, with which you can do almost everything with (a) target's Mac."

With root-access privileges, the list of potential actions includes keylogging, uploading and downloading files, screenshots, webcam access, and SSH and VNC connectivity. It is also claimed the malware can also present victims with a custom window, which could be used to request extra information, such as a credit card number.

Previously, the tool cost 100 bitcoins ($126,000 at the time) to acquire, with a license for unlimited installations, but criticism from others prompted a reduction to 40 bitcoins ($50,400) for unlimited installations, or 2 bitcoins ($2,512) for a single installation.