Also known as: AMOS, Atomic macOS Stealer
Category: Malware
Type: Stealer
Platforms affected: macOS
Variants: Amos Atomic MacOS Stealer, Atomic Stealer Variant B, Atomic Stealer Variant C
Damage potential: Can steal a wide range of sensitive data, including login credentials, cookies, browser histories, and cryptocurrency wallets.
Overview
Atomic Stealer emerged in April 2023 and has been actively updated since. It uses malvertising campaigns, with a focus on macOS users, to steal their account passwords, browser data, and cryptocurrency wallet details. The malware has been detected in fake websites that offer software for Windows and Linux but are particularly focused on macOS. Once you install the fake app on your macOS device, it displays a pop-up, prompting you to enter your password to access System Preferences. What it actually does is give the Atomic Stealer the necessary permissions to start stealing files and data stored in your iCloud Keychain and browser.
Possible symptoms
Malware that's designed to steal information is engineered to be as unnoticeable as possible to remain undetected for longer. Therefore, there are no obvious signs to look out for — you will likely notice something is going on only when things start to go wrong. Like your crypto wallet is suddenly empty, or you lost access to your email account.
Sources of the infection
- Malvertising. When users search for popular or cracked software, they see Google Ads that lead them to websites that claim to offer that software for free, but the user actually downloads and installs the Atomic Stealer.
- Fake websites. Cybercriminals create copies of real websites and trick users into downloading and installing fake software — they get malware instead.
Protection
- If you need to get software from outside the App Store, go directly to the developer's website, don't click on Google Ads, and triple-check to make sure it's the real deal.
- Be very cautious with unexpected pop-ups asking for your password — no app should do that. And if your system needs your password to make changes, you are the one who should've initiated those changes — they don't just come up automatically.
- Use additional security solutions, like the malware scanner from NordVPN's Threat Protection Pro™. This feature scans programs and files for malware while they’re being downloaded. Threat Protection Pro™ will also alert you if you’re about to enter a malicious website to prevent drive-by downloads.
Removal
If you think you might have the Atomic Stealer on your device, you need to act fast to limit the damage. Here's what you should do:
- Disconnect from the internet to stop the malware from sending your data to its server.
- Run a scan on an updated version of a paid and reliable antivirus software.
- After the scan, use your antivirus to delete or isolate the malicious files.
- Once you're sure you got rid of the malware, change your passwords on all your important accounts, and don't forget to change your Mac password.