First uncovered in 2011, in the relatively early days of Bitcoin mining and mania, DevilRobber is a Bitcoin mining backdoor Trojan, also known as OSX/Miner-D. It is also smart enough to steal user data and other commands and inputs from Mac owners, creating an unwanted route into your Mac from the world of illegal web activity.

Although it was first detected in 2011, security experts and antivirus vendors note that this is the second-most widespread Mac malware variant in the world. New versions of it turn over computing power to mine for other cryptocurrencies, including Ethereum and Monero.

An increase in the number of detections in 2017 coincides with the Initial Coin Offering (ICO) craze during that year and into 2018. DevilRobber now accounts for 21.6% of all global malware detections on Macs, according to Symantec.

What is DevilRobber, and how to detect the infection?

DevilRobber is a version of malware known as a Trojan, capable of taking control of a Mac or at least a percentage of its operating capacity. Originally distributed via torrent websites, such as PirateBay, it was hidden within Mac OS X versions of the image editing app GraphicConverter version 7.4.

At the time, that app was being distributed without the developers’ knowledge, making it unlikely that they wanted their app used as a vehicle for a global Trojan. After this was downloaded, Macs that had been infected became sluggish and would load more slowly or would have difficulty running apps or games that previously ran smoothly.

DevilRobber had no way of operating without making a Mac run slowly. Once it is downloaded, it starts to use your GPU (Graphics Processing Unit) and CPU (Central Processing Unit) to mine Bitcoin. Mining Bitcoin can take a lot of processing power, and this depends on how much spare capacity you have at the time of infection. Or when you are running a heavier application, your Mac can struggle to operate everything it needs to, especially with the extra strain DevilRobber puts on your Mac.

When DevilRobber is on your Mac, this Trojan will be using extra broadband data, thereby potentially costing you more money, depending on your internet contract and fair usage rules.

Not only is DevilRobber making your Mac and broadband provider work harder (for as many hours as your Mac is running), but it will also take screenshots. It steals user data and passwords and goes trawling through browser history and plug-ins. In the background, it runs a script that stores everything to a file known as dump.txt, and then it sends that information to a command-and-control server.

One thing that it does that most malware and Trojans don’t is searching for files labeled “pthc.” On the dark web, these are sometimes linked to child pornography, suggesting it was partly designed to either uncover more of this abuse or send any evidence to the server running the malware.

DevilRobber will also steal any Bitcoin wallets it finds on a Mac, creating immediate monetary gain for the creators of this virus.

Since it was originally launched, the creators have found new ways to distribute the software and new apps to hide within. It has clearly got more sophisticated, infecting millions of Macs and being used to mine for cryptocurrencies that didn’t exist or were only very new when it was first created. If you’ve noticed your Mac is running slowly, you could be a victim.

How to remove DevilRobber?

As in the case with all Trojans and malicious malware, DevilRobber is good at hiding. Even though this one shows an outward sign of infection — your Mac running slowly — the files that contain the virus are going to be well hidden.

Removing this manually means trawling through files and folders, looking for extensions you don’t recognize. Unfortunately, it won’t label them DevilRobber so that they are easy to find, and chances are that there are going to be dozens — if not more — to give it the processing power to steal data and mine cryptocurrencies.

If you are able to search through your Application and Library files and other folders — and find everything that looks suspicious — drag everything to Trash. Then empty the Trash. It might be worth shutting your Mac down and starting again, just to make sure it is running smoothly. It is also worth being very careful when trying to remove any virus manually. It is difficult knowing if you’ve got all of the files and folders, and the last thing you want is to remove anything your Mac needs in error.


Deleting DevilRobber safely

Another way is to trust CleanMyMac X to remove malware automatically and safely — without deleting anything important.

CleanMyMac X is a tool for upgrading the performance of your Mac. It uncovers junk and malware, deleting everything your Mac doesn’t need and restoring it to perfect, out-of-the-box performance. To remove DevilRobber:

  1. Download CleanMyMac X.
  2. Open the app.
  3. Go to the Malware Removal tab.
  4. Click Scan to scan for anything malicious in your Mac.
  5. Click Remove to delete malware.
Scan completed in malware removal module of CMM

After using CleanMyMac X, your Mac is back, without malware and Trojan viruses mining Bitcoin and stealing data.

DevilRobber has infected a lot of Macs — millions of them over the years. It has used all of this combined processing power to mine Bitcoin and other cryptocurrencies. It is also being used to steal data and pass that on to cybercriminals and dark web operators. Keep yourself safe, watch out and scan for any signs of infection, and one way or another, make sure your Mac can operate safely without this unwanted intrusion.