First Fake Installer Trojan Hits OS X

SMSSend 3666

Just breaking via TNW, a new Trojan named “Trojan.SMSSend.3666” has been found by the security firm Doctor Web. The fake installer asks the victim to put in their mobile number to receive a code. This, then triggers an automatic subscription fee tacked onto the users’ account. While these fake installers are common for Windows users, this is the first time one has been found for Macs.

TNW pointed out in their post—First OS X Fake Installer Malware Spotted—that the installer may or may not even install the app people think they are getting, but that doesn’t matter if the bad guys already have you on the hook for their subscription fee:

A new Trojan for Mac has been discovered that mimics the actions of an installer. The malware attempts to monetize the attack by having users enter their mobile phone numbers for the purpose of “activation.”


In order to continue the “installation process,” the user is prompted to enter their cellphone number into the corresponding field and then input a code they are to receive via SMS. By doing so, the user is charged a subscription fee debited to their mobile phone account on a regular basis.

After that, the cybercriminal has achieved his or her goal. The installer in question doesn’t even have to complete: Doctor Web says it has found installers that install the legitimate apps they claim to mimic, which are of course also available for free on their corresponding official sites, as well as ones that contain meaningless data.

Details on this trojan can be found on the Dr.Web post.

How to prevent this? Well this is where the new software protections built into Mountain Lion come in. If you have your security settings set to only the “Mac App store and identified developers”:

2012 12 11 13 56 11

Then your risk is much lower. If you have it set to “Anywhere” and download software from any place on the net, well, you might pick up something unexpected with that installer.

Downloader beware.