Researchers recently discovered that a supposed chat app, CloudChat, surreptitiously stole crypto keys and wallets from victims’ Macs. The malware also opened up a backdoor, allowing the developer to remotely control infected Macs and secretly run Terminal commands.
Sometime after the researchers published a write-up about the malware, the chat app site changed. It no longer offers the same version of the app. Here’s what we know about the story so far.
On April 3, malware researchers Adam Kohler and Christopher Lopez discovered an interesting file that had been upload to VirusTotal that day. VirusTotal is a site that allows anyone to scan a file with multiple antivirus engines to see which ones detect it as potentially dangerous; files uploaded to the site are available for malware researchers to download.
The same DMG (macOS disk image) that contained the file was also available on the official CloudChat site.
When a victim runs the app, it checks whether the system’s IP address implies that the Mac is in China. If so, it avoids downloading a malicious payload.
If, however, the victim’s Mac doesn’t appear to be in China, it surreptitiously downloads and runs the second-stage payload. The payload is an app that hides in the user’s home folder; its name starts with a period character so it won’t be visible in the macOS Finder.
The app then collects information about the infected Mac and sends them to a Telegram user. It then starts watching for any Bitcoin, Ethereum, or TRON crypto private keys the user may copy to the clipboard. If the victim happens to copy one, the malware exfiltrates it to the malware developer via Telegram.
The malware also checks the Mac for common Google Chrome cryptocurrency wallet extensions. If it finds any, it creates a compressed archive and exfiltrates them to the attacker’s FTP server.
Sometime after these initial stages, an attacker may leverage the software’s backdoor functionality. They may manually send commands and remotely control the infected Mac.
Sometime after the original write-up went live, the operators of the CloudChat site evidently removed the malicious version of the Mac app.
Instead of the malicious version that they apparently created on April 2, 2024, they reverted back to an old version. As of when this article is being published, the app that the site is currently distributing via its CloudChat.dmg appears to have been created on June 22, 2022. It was first uploaded to VirusTotal on July 2, 2023.
The official CloudChat site throws around a lot of buzzwords to give the perception of being safe; they claim it “provides you with a safe social life service,” that it’s “private and secure social,” “is encrypted,” “[protects] your messages, files, etc. from hackers,” and lets you exchange “encrypted personal and trade secrets.”
But should you trust the current (old) version of the app? No, absolutely not. Even in the best-case scenario—giving the developer the benefit of the doubt and assuming their site had been hacked—there are far too many red flags.
While the newer (confirmed to be malware) version of the app was self-signed, the older version is not even code-signed at all. Normally, legitimate developers get an Apple Developer ID and have Apple notarize their apps before distributing them.
The site offers no way to contact the company via telephone, e-mail, or form; there’s just a line in the User Agreement stating that “you can contact us through the official channel of CloudChat.” Obviously, that isn’t feasible if you don’t trust the app enough to install it in the first place.
And there’s absolutely zero detail about the encryption they supposedly use.
These are just some of the red flags; this is by no means even a comprehensive list.
It’s best to stick with trusted chat applications—ideally one that uses end-to-end encryption by default.
If you just need to message other iPhone or Mac users, Apple’s own iMessage is a great solution.
As for cross-platform options, Signal and Threema are among the most trusted options. WhatsApp is another popular app that offers encrypted chats (using Signal’s technology); however, Meta owns WhatsApp, along with Facebook and Instagram, and the company doesn’t have the best track record on privacy.
Learn more about these and other legitimate messaging apps in our article about encrypted messaging apps for Mac, iPhone, and iPad.
If you think you may have malware on your Mac, it’s a good idea to scan it with a trusted antivirus.
If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs. And it’s compatible with Apple’s current Mac operating system, macOS Sonoma.
One of VirusBarrier’s unique features is that it can scan for malicious files on an iPhone, iPad, or iPod touch in user-accessible areas of the device. To get started, just attach your iOS or iPadOS device to your Mac via a USB cable and open VirusBarrier.
If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from malware.
We discussed the CloudChat infostealer on episode 340 of the Intego Mac Podcast.
If you’d like more technical details about CloudChat malware, see Kohler and Lopez’s original write-up.
Be sure to also check out Intego’s past articles about Mac and iPhone malware, including our articles specifically about stealer malware, and our 2024 Apple malware forecast.
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: