Site icon The Mac Security Blog

Pirated Mac Apps Contain Malware, and iMessage Support on Windows (Sort of) – Intego Mac Podcast Episode 281

Mac malware is again found in pirated applications, LastPass was hacked via an employee’s home computer running Plex, and hackers may be able to get into a bank account with an AI-generated voice. Microsoft makes a step toward supporting iMessage on Windows, and we look at a new Nokia phone that is easily repairable.


Transcript of Intego Mac Podcast episode 281

Voice over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday Thursday, March 2 2023.

This week’s Intego Mac Podcast security headlines include: a new crypto jacking malware gets onto your Mac when you — ahem — download pirated software; what percentage of users are viewing online media illegally? A new survey provide some answers; you hear a lot about AI performing all sorts of human tricks, like robbing a bank? And does a new user-repairable phone signal a trend in future phone design? Now here are the hosts of the Intego Mac Podcast, veteran Mac journalist, Kirk McElhearn, and Intego’s Chief Security Analyst, Josh Long.

Kirk McElhearn 0:48
Good morning, Josh, how are you today?

Josh Long 0:50
I’m doing well. How are you? Kirk?

Downloading pirated software is one way that cryptojacking malware can get on your computer.

Kirk McElhearn 0:52
I’m doing just fine. We have an exciting lineup. For today’s episode, we have this crypto jacking malware, which has been found in some pirated applications for Mac.

Josh Long 1:01
You know, we always tell people make sure that when you download an app that you’re getting it from an official source either get it from the App Store. And again, whether that’s on macOS or iOS, iPad OS, whatever platform it is, the App Store is the generally speaking just about the safest place that you can get an app. That’s not to say that there’s never any scam apps or anything like that that can slip past Apple’s review process. But in general, that’s one of the safest places for you to get apps. The second place that that is safe to get apps is from the developer’s official website, which again, you have to be careful because if you’re just doing a web search for that developer, you may accidentally end up on some page that is not the developers website. But in any case, some pirated applications, apps that claim to be the full version, for example of Final Cut Pro, included some malware that engaged in crypto jacking. Now crypto jacking is when malware attempts to mine for cryptocurrency using your leftover processor cycles that you’re not using. Sometimes it’s your CPU, your main processor, sometimes it’s your GPU, it’s kind of irrelevant when it comes to M1 and M2 series processors just because it’s the whole system on a chip Apple kind of has integrated CPU and GPU and all that kind of stuff. The short version of this basically, don’t download pirated software, and then you won’t get malware on your computer.

Kirk McElhearn 2:37
It’s really simple, isn’t it? It’s like don’t drink and drive and you won’t get into accidents.

Josh Long 2:42
Yeah, very likely you won’t get into accidents. So if you do have malware like this on your computer, of course, if you have the latest Intego software Virus Barrier can detect and remove any of this malware from your computer. Hopefully though nobody has downloaded any pirated software onto your computer.

YouGov survey highlights piracy of media

Kirk McElhearn 2:59
No, why would they download pirated software? That’s wrong! That’s a bad thing to do. Well, speaking about pirated content, apparently 10% of American adults viewed content illegally in 2012. And this is a survey which was carried out by YouGov. And we don’t know the questions that were asked of how people knew that what they were seeing was legal or not, because only 60% of the people said that they were aware that the pirated content was legally available. We were discussing this before the show, you can go to YouTube, and you can listen to music, or you can see some videos. And when you’re on YouTube, you don’t think there’s anything illegal, but a lot of that stuff is pirated.

Josh Long 3:42
This actually brings up a lot of like interesting conversation points. But yes, specifically, there were 10% of those surveyed, who admitted that they had viewed content illegally. And I think it should be worded that way. Because I imagined depending on I don’t know exactly how the survey was conducted. I found a couple of articles about this survey, and I didn’t see anything specifically saying this was a phone survey, or this was an anonymous online survey. But that could have an impact on how people are choosing to respond to a survey. If somebody calls me up on the phone, I they’ve got my phone number. And even if they’re saying this is an anonymous survey, I may not necessarily want to tell them. Yes, I know I’m pirating stuff because you know, how do I know that the person on the other end of the call isn’t secretly a government agent who’s trying to you know, to use something against me. I would say at least 10% of American adults are probably doing content illegally. It’s probably a larger number than that would be my guess.

Kirk McElhearn 4:43
And there’s a certain percentage who are doing this intentionally. So the malware we just talked about this was found on places like the Pirate Bay, where people were going to download torrents and videos and music, etc. But we don’t know how many were accidental such as YouTube or Should I cite the example of someone I know who has Disney plus in the states and wanted to watch a certain movie that was not available on Disney plus in the States, but was on Disney plus in Canada, and use the VPN to access the Canadian Disney plus to watch the movie?

Josh Long 5:15
I have heard that that is possible to do, yes. Theoretically, if you’re paying for the service, and if you were to travel to another country where that content is available, you would be able to access that content using the service that you’re paying for. So this is one of those awkward gray areas, right? And the same thing with Disney +, Netflix, any of these services generally have country specific licensing, right? This is a very complicated thing, because of silly things in the movie and TV industry. But the way things are funded and the existing partnerships that different companies have, it gets very complicated. And so it’s kind of understandable that there are these geo fenced restrictions. So is that pirating? As far as like the people who answered the survey? I don’t know whether they would have thought of that. If if somebody had asked me, and if I were that person who had access Canadian content from the US, then I might not have thought about that and say and answered yes to that question.

Kirk McElhearn 6:20
It’s worth noting that Apple has taken the interesting path to only have content that they’ve produced on Apple TV plus, so they own the worldwide rights. And there are really weird licensing deals depending on who’s been involved in the production of certain things. For example, a lot of BBC series get shown on Netflix in the US or others on BritBox, which is owned by the BBC. Some of them might be on other streaming services, it all depends who’s put up the money for the original productions.

Josh Long 6:50
So one other thing that came out of the survey, specifically 60% of those who admitted that they were watching content illegally said that they were aware that the content was legally available that there was some legal avenue for them to be able to get that content, and they chose piracy anyway. But that is kind of interesting, because then it implies that, again, I’m not exactly sure how people chose to respond to these questions relative to how the questions were asked. But apparently, of those 10%, who admitted to pirating things 40% evidently, were watching content illegally, but they didn’t know that it was legally available.

Kirk McElhearn 7:30
But this brings us back to the question of do you want to download pirated software? Do you want to go to the websites that contain links to pirated movies and TV shows things like the Pirate Bay and other torrent sites, because these sites are often going to try and get you to download software. One of the things that they try to sell on all these torrent sites now is VPN software. So you’ll click on a link and it’ll open up a page say, Oh, you need a VPN to protect you when you’re downloading the software. In some cases, this might be reliable VPN software. But notice it might be a scam.

Josh Long 8:03
One more thing we should mention that came out of the survey, those who were viewing content illegally recognized that some of them recognize that it came with risks. Apparently, 37% of those who had illegally downloaded or streamed content reported that their device got infected with malware in the process. So more than a third of those people said, Yeah, I know I got malware because of this. So this is a good reminder that even if you’re not looking for software online, and potentially downloading software illegally, you can still encounter malware when you’re searching for video content, or music content, or other things that you’re trying to obtain without paying for it. So just be aware of that. Be very careful about that. Because often malware does come with some of these downloads.

LastPass breach linked to hack of employee’s home computer running Plex

Kirk McElhearn 8:51
So to segue from downloading video content to the LastPass breach that we’ve talked about in recent episodes, it turns out that an employee’s home computer was hacked and a corporate vault was taken. So a vault is the file that the company had with all their important passwords and credentials and all that. And the vector that was used was really interesting. The employee was using Plex on their home computer, and someone exploited a vulnerability with Plex. Now, you can use Plex in two ways you can use it one, I use it on, I have a Mac mini I store videos that I’ve ripped, and I use it to stream to my Apple TV. But you can also use Plex to give remote access to your library to yourself or to other people. And this is one way that some people share pirated content with others through Plex libraries. And apparently there was some sort of a vulnerability in this remote access that allowed the hacker to get in and they install a keylogger. Was that it?

Josh Long 9:51
Right? It’s a little bit unclear how they got from one step to the next. But according to this report, the attacker got into the past past employees home computer through a vulnerability in Plex. Now by the way, Plex has come out with a statement saying we are not aware of any unpatched vulnerabilities. And they say that they’re you have been in touch with LastPass, and are trying to find out what specific vulnerability might have been exploited to get into this person’s home computer. But if this is actually true that some Plex vulnerability was used to break into this employee’s computer, somehow that led to keystroke logging malware or key loggers being installed on this individual LastPass, employee’s home computer, then from there, because this employee was using their home computer to access this corporate vault, then this keystroke logging malware was able to capture the password they were using to log into it and then exfiltrate that data, the password to the attacker, who was then able to use that to gain a greater foothold into LastPass. So you can see how like these things chained together, somebody was using a vulnerable version of software, let’s say maybe it was an old version of Plex or something that had some known vulnerability. We don’t know, they had this exposed also to the public Internet, which is kind of a no no, right? Like, you have to be really careful and consider do I actually want this piece of software to be available to anybody on the internet to be able to find this and potentially login to this, there are ways that you can make that more secure. It’s it does require a bit of technical expertise to do that. And so some people for their own personal convenience might just open up a port in their router. And now, actually, anybody who can you know, brute force guests the password to log into that service, or exploit a known vulnerability may be able to break into your computer through that. So you’ve got to be really careful. Anytime you’re exposing anything intentionally to the internet, you want to make sure that you’re doing it in as secure of a way as possible.

Kirk McElhearn 12:08
Plex says that they don’t know of any unpatched vulnerabilities, but I can assure you that Plex releases updates to their software frequently, sometimes a couple of times a month, depending on whether you’re on the beta update channel or not. So it’s very possible that this LastPass thing happened months ago. And Plex is saying well, there’s nothing that’s unpatched today, but at whatever point the person got in, well, something had been unpatched at the time. And as you said, maybe the person just didn’t update it.

Josh Long 12:37
Right. And well, we know this took place in August, because that’s when the initial intrusion into LastPass apparently happened. By the way, if you’re wondering what we’re talking about LastPass, we have a previous episode where we covered this, this whole thing, the whole story with LastPass and and how they were compromised. LastPass of course, is a password managing program that this point we don’t recommend using anymore, it’s probably better to move on to a different password manager. If you already have a LastPass Vault, it’s a good idea to move to a newer password manager that has better security. I’m personally using bit Warden I think that’s probably one of the best out there Kirk, I know you’re using one password. These are are both password managers that have a very good reputation have been around for a long time.

Kirk McElhearn 13:26
I’ll have links in the show notes to an article on the Intego Max security blog about the LastPass fiasco and to a podcast episode where we discussed it. Let’s take a break. When we come back, we’re gonna talk about how someone broke into a bank account with an AI generated voice.

Voice over 13:43
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego Mac Premium Bundle X9 includes VirusBarrier, the world’s best Mac anti-malware protection, NetBarrier, powerful inbound and outbound firewall security, Personal Backup, to keep your important files safe from ransomware, and much more to help protect, secure, and organize your Mac. Best of all, it’s compatible with macOS Ventura and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today, when you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode show notes at podcast.intego.com. That’s podcast.intego.com, and click on this episode to find the special discount link exclusively for Intego Mac podcast listeners. Intego, world-class protection and utility software for Mac users made by the Mac security experts.

AI-generated voice is used to access a bank account

Kirk McElhearn 14:59
A few years Years ago, I was using a personal bank account with a bank here in the UK. And they had added a new voice authentication system. And they wanted me to call them up on the phone and say, my voice is my password. And they would record this and they would record my unique voiceprint. And I didn’t trust it, I said, There’s no way I’m going to do this, I’ll type in my complicated password. If I have to. Well, we have an article in motherboard, how I broke into a bank account with an AI generated voice. And someone used that same tool that we used a couple of weeks ago to generate Josh’s voice. And they had to use a couple of tries, but they were able to break into a bank account, and get access to balances, transactions, transfers, etc. This is a bit worrisome because these AI voice tools are all of a sudden, extremely powerful and extremely accessible. You don’t have to go out of your way to find one. I don’t, I would never use a voice password for anything. Because not only does it not seem reliable to me, but you’re talking over a mobile phone, the sound is not going to be good, the microphones not going to be good, the connection might not be good. It just doesn’t seem safe.

Josh Long 16:11
Right. And it’s funny because they actually do say in this vise article, that that was the key word for this particular bank, my voice is my password. So apparently, this is a thing that a lot of banks are doing. And it is something that you should be aware of my voice should not be my password, especially in today’s day and age where it is so easy for people to imitate your voice using artificial intelligence, you know, voice generation software,

Kirk McElhearn 16:40
One of the banks says on its website, your voice print, like your fingerprint is unique to you. And no one else has a voice just like you. I wonder if AI is going to be able to duplicate fingerprints, I guess that’s a little bit extreme. It would have to have a fingerprint model to be able to do that. So that won’t happen. But the whole voice thing, it just seems too easy.

Josh Long 17:02
Yeah, absolutely. This well. So a voiceprint is completely different from something like a fingerprint, a fingerprint. You can’t really spoof that, right, it’s got to be exact, and a voiceprint. Well, you can come pretty close to imitating somebody’s voices, as we heard recently, right? It didn’t sound exactly like me. But it’s close enough that I absolutely think that it could fool you know, a bank. My voice is my password prompt.

Kirk McElhearn 17:30
Especially if you consider that people like us who are podcasters, there are huge recordings of our voices of hundreds of hours that people can choose. So it’s not hard to find the voice. Now maybe someone who’s never done any public recordings, it might be more difficult to get a voiceprint from them, you need something clean, not just something from a phone call I think.

Josh Long 17:50
Actually, I’m kind of curious about that one. Because if you think about it, anybody who’s ever had to sit on hold on a phone call, knows that audio quality over a phone call is really bad. And you know, listening to hold music, it doesn’t sound very good. It sounds really terrible, in fact, so the voice quality over a phone call is not great. But if somebody has, you know, recorded your voice through a phone call, I don’t know whether it degrades enough that if you were to then use AI based on a phone recording of somebody and then play that back through the phone to the bank, I don’t know whether that would be good enough to bypass the the bank’s password requirement. I’m not sure. But I would not be surprised if it is possible.

Kirk McElhearn 18:40
To me, it sounds like making a photocopy of a photocopy. But but there are AI tools that can clean up voice recordings. And I use this for one of my podcasts where one of my co-hosts does not have a good microphone does not know how to use a microphone. So I use this Adobe tool, I upload a file and it gets rid of the room noise and the echo. It’s really quite amazing. We’re not suggesting that anyone try this. But just don’t let your voice be your password, especially now, I’d be even worried about some banks are using a photo type system. Right? I remember when I applied for a bank account a couple years ago, they had me sit in front of the camera on my computer and turn my head in different directions to take a photo of me now this is just a photo. It’s not like Apple’s face ID which has infrared scanners to check depth right? It was just using photos. I wouldn’t want to use that because that could probably be spoofed as well.

Josh Long 19:34
If a bank is going to use technologies like this, there needs to be multiple layers. And I don’t mean just my voice is my Password Plus check that the phone number that I’m calling from matches my phone number that the bank has on file because as we mentioned before phone numbers can also be spoofed. So if somebody is able to spoof your phone number and also use AI generated voice it sounds like very you know Tom Cruise spy technique algae. But this is readily available easily available to anybody who’s willing to, you know, to pay for a service like that or run their own kind of service that does something similar to this. It’s not difficult or expensive to pull off and attack like that. In today’s day and age. Unfortunately,

Kirk McElhearn 20:18
I think banks should be at the forefront of safety rather than trying some fancy technology. One of the things they do here, when I moved to the UK, I was very surprised. Most of the banks have a system, they’re starting to use two factor authentication, and my accounts have two factor. But some of them use a system where you enter your username and your password. Then for example, characters, two, seven and 10, have your secret word. So you would have had to create a word, select a word, which is your favorite fictional character, your dog’s name, whatever, but they only choose three random characters from it. And that’s interesting, because it’s hard to crack that. You can’t there’s no dictionary brute force attack to crack that sort of thing.

Josh Long 21:00
It’s kind of funny, because to me, from my perspective, that also means that obviously, they’re storing that special word in plain text, right? So good for them, hopefully, you’re not using something that you’re also using as a password elsewhere for that special word, because then that means that the employees of that company will have access to that.

Fake ChatGPT websites

Kirk McElhearn 21:19
Okay, very quickly, hackers are using ChatGPT phishing websites to infect users with malware. This is no different than any thing that’s trending that people search for in Google. And then they go to websites, and someone makes a site that looks realistic. In this case, making a site that looks like open AI is the company behind ChatGPT. Just a warning that if you’re looking for ChatGPT, make sure you go to open ai.com. And don’t click a link and follow it if you get an email or SEO Link someplace else, check to make sure the URL is correct.

Josh Long 21:50
Right. And specifically, this malware that we know of so far has only been Windows and Android malware. But it’s that’s not to say that there couldn’t be variations for the Mac, or potentially even for iOS two, there are attacks like this that could be used against you, regardless of your platform. So just something to be aware of.

The Nokia G22 phone has basic user repairability

Kirk McElhearn 22:09
Okay, now, we talked a while ago about Google’s whining about the green bubble and the blue bubble with iMessage. And that they’re unhappy. Microsoft came up with something which it’s kind of a halfway solution. They have an app called Phone link that lets you use iMessage on your Windows PC, it connects to your iPhone through Bluetooth. And it kind of acts like a what would you call it a translator, from iMessage, to whatever the windows messaging app is, there are some downsides to this. First of all, I don’t see either green or blue bubbles in the screenshot here. Second of all, you can’t use images. And third, you can’t use group chats. So these are a lot of limitations, just to be able to type your messages on your Windows computer instead of your iPhone.

Josh Long 22:58
Right? Well, so we looked into this and from all the articles that are written about this, including on Microsoft’s own official website, they never say that they’ve actually partnered with Apple or that they’re, you know, officially using some sort of Apple, you know, Application Programming Interface or something like that. They don’t say exactly how they’re going about this, they might just be doing this completely on their own without Apple’s blessing, which kind of makes sense with how clew G this seems, because the things that you can do are you can send text based messages through iMessage. If your iPhone is linked up with your windows 11 PC, what you can’t do is you can’t participate in group chats, and you can’t send photos or videos. And the implication there, I think also is that you probably can’t see photos or videos. I’m not 100% sure about that. But you know, these are some awkward limitations. I don’t know exactly how that works in practice, like if somebody sends you a picture or video, does it notify you on your Windows PC that somebody did and that you’re going to have to look at your iPhone to see it. It’s not really clear. But in any case, it is kind of interesting, you know, iMessage is now kind of sort of available on Windows, as long as you’ve got your iPhone nearby and have it linked up with your Windows PC.

Kirk McElhearn 24:23
Okay, we don’t really talk about Android phones often but I saw something that piqued my interest. There is a Nokia phone, the G 22. That’s coming out in a few days. And it is designed to be repaired in minutes. You can repair the screen the battery back panel and the charging plug I believe and what you do is you go to I fix it you buy a kit, which includes the part you need and the tools you need to make the repair. This is really inexpensive. It’s gonna go for 150 pounds in the UK. It’s not going to be sold in the US. It’s going to be sold in a number of global markets in Europe and other places. And it is Very interesting given what Apple does to do home repairs, you have to have like this 70 pound kit of tools to take the screen off and all that. And here you can do it in, they say you can replace a battery in five minutes and a screen in about 20 minutes. I think this is a good way moving forward to make telephones a little bit more sustainable.

Josh Long 25:19
Now, you know Apple has history over the past several years, we’ve we’ve become less and less easily repairable. Generally speaking with Apple products, it’s it’s Apple has been trending that direction for a very long time. And we’re really at the point now, where your best bet really if you need to get any hardware repaired on an Apple device is to take it to an Apple store. Or if you have no Apple store nearby, then either an authorized repair shop, or getting one of these giant kits and doing it yourself, which of course has a lot of risks involved. And, you know, there’s been because there’s so much competition in the Android Market. This is one way that Android phone manufacturers can differentiate themselves, they can get a high repairability score from I fix it. You know if that’s one of the the selling points that they wanted to make the case that you should get their phone instead of somebody else’s, that’s something they can use to differentiate themselves. And I think this is a brilliant move on Nokia’s part. Also, the the price point is really great on the phone, unfortunately, yeah, as you mentioned, it’s not available in the US. But this is a good way to go. Especially if you’re the kind of person who does tend to drop your phone a lot and might need to replace the screen. Being able to do that as cheaply and quickly as as they’re saying that you can do this with I fix it tools and parts. This seems like a great way to go for at least a certain percentage of people who are interested in using a repairable Android phone.

Kirk McElhearn 26:53
It’s worth noting that there’s a 50 megapixel camera, which is more than what’s in Apple’s iPhone, you can put a micro SD card in to have up to two terabytes of storage, which would cost you I don’t know, 50 pounds or something for that compared to hundreds of 1000s or hundreds of dollars to get more storage and an iPhone. It’s waterproof. And so that’s why you need a tool to take the back panel off. No Joshua, you’re showing before the show, you have a 10 year old Samsung phone where you just pop the back off, and you can replace the battery. But of course, it’s not waterproof, I think it’s probably better to have waterproof, you get two years of Android upgrades and three years of security updates. And I think it’s interesting that on Android, this is actually in the specs for a phone. Now this is a selling point to say how long you’re going to get upgrades, whereas with Apple, you just assume there’s going to be at least five years is going to be supported.

Josh Long 27:42
Yeah. And I actually do like this, although the period of time in the least in this particular case is, in my opinion, not very long for a phone. You know, there are there are a lot of people who buy a new phone every year, or maybe every other year, depending on a lot of factors, maybe they want to have the latest technology, or maybe they don’t care about it. Maybe they want to upgrade as soon as their carrier says they’re eligible for an upgrade. But not everybody does that. And some people just want to hang on to the phone that they already are used to that works just fine for their needs, and use that as long as they want. And well, you can’t always do that with any phone. Because ultimately, you’re gonna get to that point where you is least if you want security updates, which you know, you should, then you’re probably going to have to upgrade your phone to a newer model at some point. But I do like at least that they’re giving you the specifics on when security updates are going to be available until what date. By the way. The other thing is with Android devices, you can often get a third party version of Android that is just as safe and secure. And it’s designed to run on older hardware. Lineage OS is one that I think we’ve mentioned before on the podcast, that’s what I’ve got installed on this 10 year old Samsung phone that is almost useless, really at this point. But lineage OS and many others like it can be compatible with a lot of different hardware. So even if official stock Android doesn’t work on your phone anymore, even if it’s not supported, you can often still get a third party version of Android that’s going to be fully up to date give you all the security updates. So how does this relate to Apple? First of all, I know that a lot of Mac users also use an Android phone. So it’s worth mentioning for that reason, but also it’s something that I think Apple could do better at right they can look at examples like this and say, you know, maybe we should be more environmentally friendly. Maybe we should be more repairable or at least have a model of our phone that is better in that regard. Also, Apple could definitely learn from this in you know, announcing pre announcing before you buy a product, when is going to be the last As the date that you’re going to be able to get security updates for it Apple has never done this with any product to my knowledge. Please, if you know of any correct me podcast@intego.com Send me an email. But I am not aware of any case where Apple has ever said we’re going to release security updates until this date for this product. In fact, by the way, I mentioned this all the time, but this really bugs me. An Apple Watch Series Three is still being sold refurbished on Apple’s website. As of today. It is checked the other day, and it can only run watch OS eight which has had not had any security updates since watch OS nine came out. So you know, Apple really needs to improve in this regard.

Kirk McElhearn 30:39
Okay, that’s enough for this week. Until next week, just stay secure. All right, stay secure.

Voice over 30:45
Thanks for listening to the Intego Mac Podcast, the voice of Mac security, with your hosts Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com The Intego website is also where to find details on the full line of Intego security and utility software. Intego.com.


If you like the Intego Mac Podcast, be sure to rate and review it on Apple Podcasts.

Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.

Share this: