Security Experts Discover Sophisticated Malware Campaign Targeting Android Users via Fake Chrome Install Pages
A sophisticated Chinese spyware, PasivRobber, is designed to target macOS devices, focusing on harvesting data from popular communication apps widely used in China.
The multi-binary malware package is highly advanced, capable of exfiltrating data and maintaining persistence on infected systems. On March 13, 2025, researchers uncovered a suspicious Mach-O file named “wsus” on VirusTotal, which led to the discovery of over 20 related binaries targeting macOS systems. The malware primarily targets apps like WeChat, QQ, web browsers, and email clients.
"The software's targeted apps and network connections indicate a Chinese origin and user base," said Kandji researchers.
Technical Details and Functionality
PasivRobber uses complex obfuscation tactics, including deceptive naming to avoid detection. Its main binary, "goed", is intentionally named to resemble Apple’s legitimate "geod" daemon. The malware also hides plugin libraries with incorrect file extensions (.gz instead of .dylib).
Malware Architecture
PasivRobber operates through three main components:
- goed: The core executable, initiated by LaunchDaemon, starts the infection chain and runs wsus.
- wsus: Handles remote updates via FTP and uninstalls through RPC messages.
- center: Collects system information and performs other on-device actions.
The malware deploys specialized "Robber" dylibs like libWXRobber.dylib, libNTQQRobber.dylib, and libQQRobber.dylib to target specific applications and steal user credentials and communication data. It uses Frida scripts to hook into processes, enabling it to intercept communication and extract encryption keys.
Data Collection and Surveillance
The malware is equipped with 28 plugins (named "zero_*") to target various data sources, including:
- Web browser history and saved passwords
- Email messages and contacts
- Chat conversations from WeChat and QQ
- Cloud storage credentials
- System information and screenshots
Researchers link this malware to Xiamen Meiya Yian Information Technology Co, associated with Meiya Pico, a company previously identified by the U.S. Treasury for developing surveillance tools for the Chinese government.
The malware's capabilities, extensive data collection functions, and version checks for macOS systems below version 14.4.1 suggest it's actively developed for targeted surveillance operations.
Security Recommendations
Experts advise macOS users to update their systems regularly and watch for suspicious processes and network activity to protect against this growing threat.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
