Attention Mac Users: AMOS Malware Threat Targets Wallet Applications

Recent developments highlight a concerning new capability of the AMOS malware targeting Mac users, which can now mimic wallet applications like Ledger Live. Cybersecurity experts are warning users to remain vigilant.

Overview of AMOS Malware

The malware, known as “Atomic MacOS” or “AMOS,” has been reported to have the ability to replicate wallet applications and illicitly access users’ cryptocurrency.

Current Threat Landscape

A report from cybersecurity firm Moonlock Lab reveals that AMOS is experiencing a resurgence, being advertised through Google Ads as legitimate MacOS applications. Some of the apps it has impersonated include:

• Loom (screen sharing app)
• Figma (design tool)
• Tunnelblick (VPN)
• Callzy (messaging app)

These impostor versions of popular applications have not been authorized by their original developers.

How the Malware Operates

Moonlock’s researchers identified the malware while exploring a version masquerading as Loom. When they clicked on the advertisement, it directed them to smokecoffeeshop.com, which led to a fraudulent Loom website.

Instead of downloading the genuine Loom application, users inadvertently downloaded a sophisticated variant of the AMOS malware.

Evolution of AMOS

AMOS is not a new threat; it has been reported since April 2023. It was marketed on Telegram as a subscription service available to cybercriminals for $1,000 per month and had capabilities to target over 50 types of cryptocurrency wallets, including:

• Electrum
• MetaMask
• Coinbase
• Binance
• Exodus
• Atomic
• Coinomi

The malware steals the wallet data, including key vault files, potentially allowing attackers to access victims’ funds.

New Capabilities of AMOS

According to Moonlock, an updated version of the malware now features the ability to clone specific wallet applications and corrupt victims’ e-wallets. Notably, it has shown the ability to imitate Ledger Live, which is used by Ledger hardware wallet owners.

Traditionally, Ledger devices store private keys securely, making them relatively safe from malware. However, the malware’s intention may be to create deceptive visual prompts that trick users into transferring their cryptocurrency to the attackers.

Potential Future Threats

Moonlock has indicated that future variations of AMOS could potentially target other wallet applications as well, including software wallets like MetaMask and Trust Wallet, making the threat even more serious.

Users operating crypto wallet software on Mac should be particularly cautious, especially since AMOS is disseminated via Google Ads. It is advisable to verify the legitimacy of any downloads originating from banner or display ads.

When in doubt about a website’s authenticity, searching for the application’s name in a search engine and reviewing the organic results can help ensure safety, as scammers often lack the authority to rank highly in search results.

Ongoing Malware Concerns

Despite Google’s efforts to filter malicious software from its advertising platform, the protection is not foolproof. Malware remains a significant threat in the cryptocurrency space. For example, cybersecurity experts have also uncovered other malicious programs recently:

• Check Point Research discovered a “stealer” program draining crypto through “clipping.”
• Kaspersky Labs reported a malware named “Durian” used for attacks on cryptocurrency exchanges.

Cybersecurity vigilance is crucial for all cryptocurrency users as threats continue to evolve and pose risks.