Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
55,435
17,776



Mac owners who have recently downloaded Elmedia Player or Folx from Eltima Software may have unwittingly installed malware on their machines, reports ZDNet.

Downloads of Folx and Elmedia player were infected with Proton, a Remote Access Trojan, after Eltima's servers were hacked. The Proton backdoor lets attackers access browser information, keylogs, usernames, passwords, macOS keychain data, and more.

elmediaplayer-800x500.jpg
In an email to ZDNet, an Eltima spokesperson said that the malware was distributed with downloads as a result of their servers being "hacked" after attackers "used a security breach in the tiny_mce JavaScript library on our server."
The compromised software was discovered on October 19, and customers who downloaded software from Eltima on that date before 3:15 p.m. Eastern Time may be affected by the malware. The following files will be found on an infected system:

- /tmp/Updater.app/
- /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
- /Library/.rand/
- /Library/.rand/updateragent.app/

Apple and Eltima have disabled the developer ID that was used to sign the Proton-infected software bundle, and Eltima is working with Apple to figure out what happened.

Anyone who was impacted by the malware will need to reinstall macOS to get rid of it. Eltima says it has taken action to prevent against further attacks and improve its server security. Clean versions of Elmedia Player and Folx are now available from the Eltima website.

Article Link: Eltima Software's Elmedia Player and Folx Infected With Malware
 

MikeAnd

Suspended
Jan 8, 2008
105
112
Does this affect those that downloaded Elmedia from the app store?
It sounds like not, since according to Eltima, "Only Elmedia Player and Folx version downloaded from our official Eltima website was infected by this malware. However, the built-in automatic update mechanism is unaffected based on the data available to our cybersecurity experts."

Also note that the App Store version hasn't been updated since Jul 3.
 
  • Like
Reactions: camelia

msandersen

macrumors regular
Jan 7, 2003
217
31
Sydney, Australia
A timely reminder for me to do a complete system backup with Carbon Copy Cloner, which I was gonna do anyway before upgrading my system. Of course, if I had been infected, it would have been too late, if the only remedy is to reinstall. Drastic measure. At least, once done, you have a clean bootable system to revert to.
[doublepost=1508539800][/doublepost]
That is a heck of a removal procedure. Is there really no way to purge this without a full OS reinstall?
Presumably since this is a Trojan backdoor, not only can they control your system remotely, stealing your passwords, files etc, but they can install anything anywhere they want, and you have no way of knowing what, hence a clean install is the only way to be sure.
 

fairuz

macrumors 68020
Aug 27, 2017
2,486
2,589
Silicon Valley
A timely reminder for me to do a complete system backup with Carbon Copy Cloner, which I was gonna do anyway before upgrading my system. Of course, if I had been infected, it would have been too late, if the only remedy is to reinstall. Drastic measure. At least, once done, you have a clean bootable system to revert to.
[doublepost=1508539800][/doublepost]
Presumably since this is a Trojan backdoor, not only can they control your system remotely, stealing your passwords, files etc, but they can install anything anywhere they want, and you have no way of knowing what, hence a clean install is the only way to be sure.
Agreed. If I ever found that my computer was infected, I'd reformat the boot disk, create a new user, and migrate stuff manually. Not taking any chances. It's also not really that hard to do. The hard part might be changing all your important passwords if you think they were stolen.

By the way, how does this get into your Keychain?
 
  • Like
Reactions: camelia

Sunday Ironfoot

macrumors regular
Apr 14, 2011
213
382
...attackers "used a security breach in the tiny_mce JavaScript library on our server...

Wait, isn't that a client-side JavaScript library (i.e. it runs on the web browser)? How would this allow a hacker to gain access to a remoter server?
 
  • Like
Reactions: camelia

Scooz

Suspended
Apr 9, 2012
339
348
Since I already suspected Eltima of being some agency outlet, since their software portfolio seems too good and diverse to be true and with deep roots into the system and network level while regularly lacking the last bit of polish, I am not surprised. :cool:

So I guess they are just checking out Apple‘s internal procedures for further infiltration now. :eek:

Of course, if they‘re not the dark hats themselves, they are a perfect target due the same reasons...

But then their strange office address...

Ah, have to hide...

</tinfoil>
 
Last edited:

Daruntim

macrumors newbie
Apr 9, 2012
3
0
I have Elmedia Player on my Mac, downloaded it few months ago and I don't have any problems with my Mac now. From the information I've found is that the problem of malware touches just the Mac users that could download infected dmg file on 19 October during some hours, the problem was solved fast enough and the most part of resources already announced that everything is ok already (like welivesecurity.com), so there is nothing to worry about.
 

justperry

macrumors G5
Aug 10, 2007
12,232
9,402
I'm a rolling stone.
I use Little snitch to disallow any internet traffic I don't trust, it's set to only allow acces to the internet when a VPN is active, even if I got this malware I see what's going on and won't allow incoming nor outgoing acces to my Mac.
It's not waterproof but much better than without LS and a VPN.
 
  • Like
Reactions: camelia and terryzx

justperry

macrumors G5
Aug 10, 2007
12,232
9,402
I'm a rolling stone.
Why isn't this the top story and not just on the sidebar where it might be overlooked?

Maybe just because it's not so widespread unlike Crack WPA, it seems this malware was downloadable for a very short time only and for an App which isn't so popular, the Appstore App wasn't affected, only the one which was on their own servers.
 
  • Like
Reactions: camelia

johannnn

macrumors 68000
Nov 20, 2009
1,951
1,802
Sweden
I had Transmission, their servers got infected.
I had Handbrake, their servers got infected.
I was trying out Elmedia Player, their servers got infected.

.. This is why I only use AppStore apps now. Apple's vetting may not be 100% accurate, but at least they have a vetting process.

Luckily my needs are not very complicated, so I can usually find alternatives on the AppStore.
 
  • Like
Reactions: camelia and ikir

allantodd8

Suspended
Oct 24, 2011
138
18



Mac owners who have recently downloaded Elmedia Player or Folx from Eltima Software may have unwittingly installed malware on their machines, reports ZDNet.

Downloads of Folx and Elmedia player were infected with Proton, a Remote Access Trojan, after Eltima's servers were hacked. The Proton backdoor lets attackers access browser information, keylogs, usernames, passwords, macOS keychain data, and more.

elmediaplayer-800x500.jpg
The compromised software was discovered on October 19, and customers who downloaded software from Eltima on that date before 3:15 p.m. Eastern Time may be affected by the malware. The following files will be found on an infected system:

- /tmp/Updater.app/
- /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
- /Library/.rand/
- /Library/.rand/updateragent.app/

Apple and Eltima have disabled the developer ID that was used to sign the Proton-infected software bundle, and Eltima is working with Apple to figure out what happened.

Anyone who was impacted by the malware will need to reinstall macOS to get rid of it. Eltima says it has taken action to prevent against further attacks and improve its server security. Clean versions of Elmedia Player and Folx are now available from the Eltima website.

Article Link: Eltima Software's Elmedia Player and Folx Infected With Malware


Hello, everyone!


We are very sorry that such thing happened with our apps.


On the 19-th of October we were contacted by the malware research company ESET, reporting that our servers had been hacked and we distributed malware in DMG files of two our apps: Folx and Elmedia Player.


Hackers used a security breach in the tiny_mce JavaScript library on our server.


Only the version downloaded from our website contained the trojanized application. The built-in automatic update mechanism is unaffected.


The Mac App Store version was not infected and remains safe.


We worked with ESET Team and Apple representatives and made all the necessary actions to stop the distribution of this Malware successfully.


We now officially announce that it is absolutely safe to download Elmedia Player, Folx, and other Eltima Software applications by users.
 
  • Like
Reactions: ikir

allantodd8

Suspended
Oct 24, 2011
138
18
Does this affect those that downloaded Elmedia from the app store?
No. It's safe.

That is a heck of a removal procedure. Is there really no way to purge this without a full OS reinstall?
Esete recommends to do a system check to confirm if your system was compromised or no. Then it will be slear if it's necessary to reinstall OS.

Maybe just because it's not so widespread unlike Crack WPA, it seems this malware was downloadable for a very short time only and for an App which isn't so popular, the Appstore App wasn't affected, only the one which was on their own servers.

You are right. Malwared player was not widely spreaded. Our urgent actions prevented this.
 
Last edited by a moderator:

mkeeley

macrumors 6502
Sep 18, 2007
444
878
You are right. Malwared player was not widely spreaded. Our urgent actions prevented this.

That doesn't help the people it has infected and it should be a headline because of how serious it is for those people. Also what does not widely mean, 1, 100, 1000, million?
 
  • Like
Reactions: camelia

justperry

macrumors G5
Aug 10, 2007
12,232
9,402
I'm a rolling stone.
OMG I download Airy on 19 October from your website, Is my Mac in risk? How do I know????

:eek::eek::eek::eek:

@camelia
Edit: You downloaded Airy, it is not affected as per the above article
If you downloaded Folx and/or Elmedia Player you might be.


You can read it in the main article on top of this page.

If there are these files in those locations on your disk you are infected.

- /tmp/Updater.app/
- /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
- /Library/.rand/
- /Library/.rand/updateragent.app/

Edit:
In Finder click on Go-Go to Folder
Next type in

/tmp/
if Updater.App is there you are infected.
and
/Library/LaunchAgents/
If com.Eltima.UpdaterAgent.plist is there you are infected.
and
/Library/
If .rand/ is there you are infected.
and
/Library/.rand/
If updateragent.app is there you are infected.
 
Last edited:
  • Like
Reactions: camelia

UL2RA

Suspended
May 7, 2017
999
1,617
This is getting ridiculous. Devs need better means of data integrity before distributing their software. The worst being the recent CCleaner fiasco, which is ironic considering it’s owned by an anti-virus company now.
 
  • Like
Reactions: camelia

MH01

Suspended
Feb 11, 2008
12,107
9,297
I had Transmission, their servers got infected.
I had Handbrake, their servers got infected.
I was trying out Elmedia Player, their servers got infected.

.. This is why I only use AppStore apps now. Apple's vetting may not be 100% accurate, but at least they have a vetting process.

Luckily my needs are not very complicated, so I can usually find alternatives on the AppStore.

Please tell us what other software you use :p
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.