Eltima Software's Elmedia Player and Folx Infected With Malware

Discussion in 'Mac Blog Discussion' started by MacRumors, Oct 20, 2017.

  1. MacRumors macrumors bot


    Apr 12, 2001

    Mac owners who have recently downloaded Elmedia Player or Folx from Eltima Software may have unwittingly installed malware on their machines, reports ZDNet.

    Downloads of Folx and Elmedia player were infected with Proton, a Remote Access Trojan, after Eltima's servers were hacked. The Proton backdoor lets attackers access browser information, keylogs, usernames, passwords, macOS keychain data, and more.

    The compromised software was discovered on October 19, and customers who downloaded software from Eltima on that date before 3:15 p.m. Eastern Time may be affected by the malware. The following files will be found on an infected system:

    - /tmp/Updater.app/
    - /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
    - /Library/.rand/
    - /Library/.rand/updateragent.app/

    Apple and Eltima have disabled the developer ID that was used to sign the Proton-infected software bundle, and Eltima is working with Apple to figure out what happened.

    Anyone who was impacted by the malware will need to reinstall macOS to get rid of it. Eltima says it has taken action to prevent against further attacks and improve its server security. Clean versions of Elmedia Player and Folx are now available from the Eltima website.

    Article Link: Eltima Software's Elmedia Player and Folx Infected With Malware
  2. miscend macrumors regular

    Nov 5, 2009
    Does this affect those that downloaded Elmedia from the app store?
  3. MikeAnd macrumors member

    Jan 8, 2008
    It sounds like not, since according to Eltima, "Only Elmedia Player and Folx version downloaded from our official Eltima website was infected by this malware. However, the built-in automatic update mechanism is unaffected based on the data available to our cybersecurity experts."

    Also note that the App Store version hasn't been updated since Jul 3.
  4. Makosuke macrumors 603

    Aug 15, 2001
    The Cool Part of CA, USA
    That is a heck of a removal procedure. Is there really no way to purge this without a full OS reinstall?
  5. coolfactor macrumors 68040

    Jul 29, 2002
    Vancouver, BC CANADA
    No kidding. I think that's a bit extreme, too. Likely just removing the files and restarting is enough, unless the infection is deeper.
  6. msandersen macrumors regular


    Jan 7, 2003
    Sydney, Australia
    A timely reminder for me to do a complete system backup with Carbon Copy Cloner, which I was gonna do anyway before upgrading my system. Of course, if I had been infected, it would have been too late, if the only remedy is to reinstall. Drastic measure. At least, once done, you have a clean bootable system to revert to.
    --- Post Merged, Oct 20, 2017 ---
    Presumably since this is a Trojan backdoor, not only can they control your system remotely, stealing your passwords, files etc, but they can install anything anywhere they want, and you have no way of knowing what, hence a clean install is the only way to be sure.
  7. fairuz macrumors 68000


    Aug 27, 2017
    Silicon Valley
    Agreed. If I ever found that my computer was infected, I'd reformat the boot disk, create a new user, and migrate stuff manually. Not taking any chances. It's also not really that hard to do. The hard part might be changing all your important passwords if you think they were stolen.

    By the way, how does this get into your Keychain?
  8. Sunday Ironfoot macrumors regular

    Apr 14, 2011
    Wait, isn't that a client-side JavaScript library (i.e. it runs on the web browser)? How would this allow a hacker to gain access to a remoter server?
  9. Scooz, Oct 20, 2017
    Last edited: Oct 20, 2017

    Scooz macrumors regular

    Apr 9, 2012
    Since I already suspected Eltima of being some agency outlet, since their software portfolio seems too good and diverse to be true and with deep roots into the system and network level while regularly lacking the last bit of polish, I am not surprised. :cool:

    So I guess they are just checking out Apple‘s internal procedures for further infiltration now. :eek:

    Of course, if they‘re not the dark hats themselves, they are a perfect target due the same reasons...

    But then their strange office address...

    Ah, have to hide...

  10. Amazing Iceman macrumors 68040

    Amazing Iceman

    Nov 8, 2008
    Florida, U.S.A.
    I always thought those companies installed adware on my Mac so I stayed away from them...
    This is unfortunate, but at least now I know they are legit. Hopefully they'll figure it out and protect themselves.
  11. Michaelgtrusa macrumors 604

    Oct 13, 2008
    This dev has an account here on MR, they gave out codes for their Mac app Photobulk.
  12. Daruntim macrumors newbie

    Apr 9, 2012
    I have Elmedia Player on my Mac, downloaded it few months ago and I don't have any problems with my Mac now. From the information I've found is that the problem of malware touches just the Mac users that could download infected dmg file on 19 October during some hours, the problem was solved fast enough and the most part of resources already announced that everything is ok already (like welivesecurity.com), so there is nothing to worry about.
  13. Wackery macrumors 6502a

    Feb 1, 2015
    optimistic thinking. No one’s downloading this anymore even if it’s fixed.
  14. justperry macrumors G3


    Aug 10, 2007
    In the core of a black hole.
    I use Little snitch to disallow any internet traffic I don't trust, it's set to only allow acces to the internet when a VPN is active, even if I got this malware I see what's going on and won't allow incoming nor outgoing acces to my Mac.
    It's not waterproof but much better than without LS and a VPN.
  15. mkeeley macrumors 6502

    Sep 18, 2007
    Why isn't this the top story and not just on the sidebar where it might be overlooked?
  16. justperry macrumors G3


    Aug 10, 2007
    In the core of a black hole.
    Maybe just because it's not so widespread unlike Crack WPA, it seems this malware was downloadable for a very short time only and for an App which isn't so popular, the Appstore App wasn't affected, only the one which was on their own servers.
  17. johannnn macrumors 65816


    Nov 20, 2009
    I had Transmission, their servers got infected.
    I had Handbrake, their servers got infected.
    I was trying out Elmedia Player, their servers got infected.

    .. This is why I only use AppStore apps now. Apple's vetting may not be 100% accurate, but at least they have a vetting process.

    Luckily my needs are not very complicated, so I can usually find alternatives on the AppStore.
  18. Kaibelf macrumors 68020


    Apr 29, 2009
    Silicon Valley, CA
    Can we just pin this artlcle as a quick reference for all the people who complain about not being able to side load apps outside of the legit iOS App Store as well?
  19. allantodd8 Suspended


    Oct 24, 2011

    Hello, everyone!

    We are very sorry that such thing happened with our apps.

    On the 19-th of October we were contacted by the malware research company ESET, reporting that our servers had been hacked and we distributed malware in DMG files of two our apps: Folx and Elmedia Player.

    Hackers used a security breach in the tiny_mce JavaScript library on our server.

    Only the version downloaded from our website contained the trojanized application. The built-in automatic update mechanism is unaffected.

    The Mac App Store version was not infected and remains safe.

    We worked with ESET Team and Apple representatives and made all the necessary actions to stop the distribution of this Malware successfully.

    We now officially announce that it is absolutely safe to download Elmedia Player, Folx, and other Eltima Software applications by users.
  20. allantodd8, Oct 21, 2017
    Last edited by a moderator: Oct 21, 2017

    allantodd8 Suspended


    Oct 24, 2011
    No. It's safe.

    Esete recommends to do a system check to confirm if your system was compromised or no. Then it will be slear if it's necessary to reinstall OS.

    You are right. Malwared player was not widely spreaded. Our urgent actions prevented this.
  21. mkeeley macrumors 6502

    Sep 18, 2007
    That doesn't help the people it has infected and it should be a headline because of how serious it is for those people. Also what does not widely mean, 1, 100, 1000, million?
  22. camelia macrumors regular


    Apr 3, 2015
    Mexico City
    OMG I download Airy on 19 October from your website, Is my Mac in risk? How do I know????

  23. justperry, Oct 21, 2017
    Last edited: Oct 21, 2017

    justperry macrumors G3


    Aug 10, 2007
    In the core of a black hole.
    Edit: You downloaded Airy, it is not affected as per the above article
    If you downloaded Folx and/or Elmedia Player you might be.

    You can read it in the main article on top of this page.

    If there are these files in those locations on your disk you are infected.

    - /tmp/Updater.app/
    - /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
    - /Library/.rand/
    - /Library/.rand/updateragent.app/

    In Finder click on Go-Go to Folder
    Next type in

    if Updater.App is there you are infected.
    If com.Eltima.UpdaterAgent.plist is there you are infected.
    If .rand/ is there you are infected.
    If updateragent.app is there you are infected.
  24. UL2RA Suspended

    May 7, 2017
    This is getting ridiculous. Devs need better means of data integrity before distributing their software. The worst being the recent CCleaner fiasco, which is ironic considering it’s owned by an anti-virus company now.
  25. MH01 Suspended


    Feb 11, 2008
    Please tell us what other software you use :p

Share This Page