How to protect your Mac from DevilRobber malware

First uncovered in 2011, in the relatively early days of Bitcoin mining and mania, DevilRobber is a Bitcoin mining backdoor trojan, also known as OSX/Miner-D. It is also smart enough to steal user data and other commands and inputs from Mac owners, creating an unwanted route into your Mac from the world of illegal web activity.

Although it was first detected in 2011, security experts and anti-virus vendors note that this is the second-most widespread Mac malware variant in the world. New versions of it turn over computing power to mine for other cryptocurrencies, including Ethereum and Monero.

An increase in the number of detections in 2017 coincides with the Initial Coin Offering (ICO) craze during that year and into 2018. DevilRobber now accounts for 21.6% of all global malware detections on Macs, according to Symantec.

What is DevilRobber and how to detect the infection?

DevilRobber is a version of malware known as a trojan, capable of taking control of a Mac, or at least a percentage of its operating capacity. Originally distributed through torrent sites, such as PirateBay, hidden within Mac OS X versions of the image editing app, GraphicConverter version 7.4.

At the time, that app was being distributed without the developers knowledge, making it unlikely that they wanted their app used as a vehicle for a global trojan. After this was downloaded, Mac’s that had been infected became sluggish and would load more slowly, or would have difficulty running programs or games that previously ran smoothly.

DevilRobber had no way of operating without making a Mac run slowly. Once it was downloaded, it starts to use your GPU (Graphics Processing Unit) and CPU to mine Bitcoin. Mining Bitcoin can take a lot of processing power, and this depends how much spare capacity you had at the time of infection. Or when you are running a heavier program, your Mac can struggle to operate everything it needs to, especially with the extra strain DevilRobber places on your Mac.

When DevilRobber is in your Mac, this trojan will be using extra broadband data, thereby potentially costing you more money, depending on your Internet contract and fair usage rules.

Not only is DevilRobber making your Mac and broadband provider work harder (for as many hours as your Mac is running), it will also take screenshots. It steals user data and passwords, and goes trawling through browser history and plugins. In the background, it runs a script that stores everything to a file known as dump.txt - and then it sends that information to a command-and-control server.

One thing that it does that most malware and trojans don’t, is searching for files labeled “pthc”. On the dark web, these are sometimes linked to child pornography, suggesting it was either partly designed to uncover more of this abuse, or send any evidence to the server running the malware.

DevilRobber will also steal any Bitcoin wallets it finds on a Mac, creating immediate monetary gain for the creators of this virus.

Since it was originally launched, the creators have found new ways to distribute the software and new apps to hide within. It has clearly got more sophisticated, infecting millions of Macs and being used to mine for cryptocurrencies that didn't exist or were only very new when it was first created. If you've noticed your Mac is running slowly, you could be a victim.

How to remove DevilRobber?

As in the case with all trojans and malicious malware, DevilRobber is good at hiding. Even though this one shows an outward sign of infection - your Mac running slowly - the files that contain the virus are going to be well hidden.

Removing this manually means trawling through files and folders looking for extensions you don't recognize. Unfortunately, it won’t label them DevilRobber so that they are easy to find, and chances are that there are going to be dozens, if not more, to give it the processing power to steal data and mine cryptocurrencies.

If you are able to search through your Application and Library files and other folders - and find everything that looks suspicious - drag everything to the trash. Then empty the trash. It might be worth shutting your Mac down and starting again, to make sure it is running smoothly. It is worth being very careful when trying to remove any virus manually. It is difficult knowing if you’ve got all of the files and folders, and the last thing you want is to remove anything your Mac needs in error.

Deleting DevilRobber safely

Another way is to trust CleanMyMac X to remove malware automatically and safely — without deleting anything important.

CleanMyMac X is a tool for upgrading the performance of your Mac. It uncovers junk and malware, deleting everything your Mac doesn't need and restoring it to perfect, out-of-the-box performance. To remove DevilRobber:

  1. Download CleanMyMac X.
  2. Launch the app.
  3. Click the Malware Removal tab.
  4. Click Scan to scan for anything malicious in your Mac.
  5. Click Remove to delete malware.
Removing malware on Mac

After using CleanMyMac X, your Mac is back, without malware and trojan viruses mining Bitcoin and stealing data.

DevilRobber has infected a lot of Mac’s. Millions of them over the years. It has used all of this combined processing power to mine Bitcoin and other cryptocurrencies. It is also being used to steal data and pass that onto cybercriminals and dark web operators. Keep yourself safe, watch out and scan for any signs of infection, and one way or another make sure your Mac can operate safely without this unwanted intrusion.

Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.