Official version Mac app Transmission contained ransomware

The official version of the bittorrent client Transmission for OS X devices contained ransomware. The ransomware KeRanger was in version 2.90. It is unknown how it could happen that Transmission spread an infected version via its own site.

Transmission’s site is currently displaying a warning to immediately download an update for anyone who has installed version 2.90 of the client on their OS X device. Version 2.92 removes the ransomware named KeRanger. It is unknown how many people have fallen victim to the malware, which encrypts files on the device and makes it available to users for a bitcoin, currently about 368 euros.

Security firm Palo Alto Networks found the malware. KeRanger broke through Apple’s Gatekeeper security because it used a valid developer certificate. The attackers have replaced the version on the site with their own variant containing KeRanger. That points to a hack of the site, but the developer of Transmission has not yet confirmed it.

Apple has revoked the certificate of the compromised version of Transmission, preventing OS X users from opening the variant with KeRanger. Because the compromised version was compiled and put online last Friday and Palo Alto Networks notified Apple on the same day, the number of victims will be limited. In addition, it only affected users who downloaded the dmg file from the site, not those who updated Transmission from within the program itself. In addition, according to Palo Alto, KeRanger is still under development. There is unused code in the malware, for example to encrypt Time Machine backups.

It is not the first ransomware discovered for OS X. Kaspersky discovered Filecoder a few years ago, but it was still unfinished at the time of discovery and referred to a local computer for the command and control server.