Pilfered Keys Free App Infected by Malware Steals Keychain Data<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data.html\"><br \/>\n<meta property=\"og:title\" content=\"Pilfered Keys Free App Infected by Malware Steals Keychain Data\"><br \/>\n<meta property=\"og:description\" content=\"Open-source applications are a practical way to save money while keeping up with your productivity. However, this can be abused by threat actors to steal your data. Find out how one app was used to gather information of Apple users.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/Pilfered-Keys-Free-App-Infected-by-Malware-Steals-Keychain-Data-641.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Pilfered Keys Free App Infected by Malware Steals Keychain Data\"><br \/>\n<meta name=\"twitter:description\" content=\"Open-source applications are a practical way to save money while keeping up with your productivity. However, this can be abused by threat actors to steal your data. Find out how one app was used to gather information of Apple users.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/Pilfered-Keys-Free-App-Infected-by-Malware-Steals-Keychain-Data-641.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.976922258854\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"272343072\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.2824427480916\">\n<div class=\"article-details\" role=\"heading\" readability=\"38.106870229008\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">Open-source applications are a practical way to save money while keeping up with your productivity. However, this can be abused by threat actors to steal your data. Find out how one app was used to gather information of Apple users.<\/p>\n<p class=\"article-details__author-by\">By: Luis Magisa, Qi Sun <time class=\"article-details__date\">November 16, 2022<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"50.083104017611\">\n<div readability=\"45.620253164557\">\n<p>Today, malware spreads easily, infecting computers of various users. Commonly found on filesharing websites, they disguise themselves as normal applications. Users are then enticed to download them to save money on those programs. However, users risk their security in doing so. Free apps that are infected by a trojan will also affect users who download these apps.<\/p>\n<p>In this blog, we share information on a type of malware that is a modified version of a free app. One reason for the easy modification of the malware was its readily available source code. In this entry, we also discuss its purpose for installation \u2014 to steal Keychain information.<\/p>\n<p><b><span class=\"body-subhead-title\">A look into Keychain<\/span><\/b><\/p>\n<p>First introduced in macOS 8.6, Keychain is the password management system in macOS. It is still in current versions of the operating system. Keychain can contain different amounts of data that should be private and protected, including passwords, private keys, certificates, and secure notes.<\/p>\n<p>Knowing what keychain data is gives us the reason to investigate this malware and to spread awareness to avoid its spread among Apple users.<\/p>\n<p><b><span class=\"body-subhead-title\">Application Timeline<\/span><\/b><\/p>\n<p>The free tool that is used by threat actors in this case is called ResignTool, an application in macOS that is used mainly to change the signing information on <i>.ipa<\/i> files, which are archive files for the iOS and iPad devices. These files can be installed on an iOS device.<\/p>\n<p>Being a useful app, the malicious actors see this as an avenue to steal information as the file is open-source and can be <a href=\"https:\/\/github.com\/InjoyDeng\/ResignTool\" target=\"_blank\" rel=\"noopener\">found on GitHub<\/a>.<\/p>\n<p><b>Arrival and installation<\/b><\/p>\n<p>The sample was discovered on VirusTotal by one of our sourcing rules. It was not yet reported to be in the wild but was submitted in VirusTotal under the name <i>archive.pkg<\/i>. PKG files are installer packages for macOS. Shown in Figure 1 are its contents.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/figure-1-pkg-contents-and-app-bundle-structure.png\" alt=\".pkg contents and app bundle structure\"><figcaption>Figure 1. .pkg contents and app bundle structure<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>Upon installation, it will run a post-install script.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/figure-2-post-install-script-in-pkg.png\" alt=\"Post-install script in .pkg\"><figcaption>Figure 2. Post-install script in .pkg<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>Once installation is finished, the following files will be created:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"> <i>\/Library\/LaunchDaemons\/com.apple.googlechrome.plist <\/i>(persistence for ~\/Library\/Google\/Plug-ins\/Google)<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> <i>~\/Library\/LaunchAgents\/com.apple.googleserver.plist <\/i>(persistence for ~\/Library\/Google\/Plug-ins\/Google)<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> <i>~\/Library\/Google\/Plug-ins\/Google <\/i>(SHA256: 16758a57928f9d31c76d0ace8f89b4367d849ccbf20441845af32e2768209a81)<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/figure-3-com.apple.googleserver.plist-contents.png\" alt=\"com.apple.googleserver.plist contents\"><figcaption>Figure 3. com.apple.googleserver.plist contents<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p>It will then use the command <i>xattr -c -r ~\/Library\/Google\/Plug-ins\/Google<\/i> to remove the quarantine attribute of \u201cGoogle\u201d and bypass Gatekeeper controls.<\/p>\n<p><b>Operation<\/b><\/p>\n<p>The Mach-O binary, <i>Applications\\ResignTool.app\\Contents\\MacOS\\ResignTool<\/i> is where the operations of the malware function and this is how they steal the victim\u2019s keychain data.<\/p>\n<p>After the installation process is over, the malware will proceed to steal sensitive information in the system. When the application is opened, the malware will send the following information to the command-and-control (C&C) server <i>hxxps[:]\/\/usa.4jrb7xn8rxsn8o4lghk7lx6vnvnvazva.com\/ <\/i>via HTTP POST method:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"> Serial Number: infected system\u2019s serial number<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Identity: a unique embedded string that serves as its identification (for the sample, this is USA_APP)<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/figure-4-message-sent-to%20CnC-server-before-encryption.png\" alt=\"Message sent to C&C server before encryption\"><figcaption>Figure 4. Message sent to C&C server before encryption<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/figure-5-initial-CnC-communication-code-snippet.png\" alt=\"Initial C&C communication code snippet\"><figcaption>Figure 5. Initial C&C communication code snippet<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>When the C&C server responds to any of the messages, the malware will proceed with harvesting the Keychain information in the system. As the following image shows, the C&C server is expected to respond with the strings newdev, newid, or gogogo.<i><\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/figure-6-code-snippet-of-CnC-response-processing.png\" alt=\"Code snippet of C&C response processing\"><figcaption>Figure 6. Code snippet of C&C response processing<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>It will then look for the contents of the following directories for keychain data:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"> <i>\/Library\/Keychains<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"> <i>~\/Keychains<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"> <i>~\/MobileDevice\/Provisioning Profiles<\/i><\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/figure-7-code-snippet-of-keychain-information-stealing-routine.png\" alt=\"Code snippet of keychain information stealing routine\"><figcaption>Figure 7. Code snippet of keychain information stealing routine<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.713114754098\">\n<div readability=\"14.877049180328\">\n<p>Upon entering the aforementioned directories, it will specify the search with the following extension names:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"> <i>keychain<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"> <i>keychain-db<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"> <i>mobileprovision<\/i><\/span><\/li>\n<\/ul>\n<p>Capturing the data on those files, it will be encrypted using <i>JKEncrypt<\/i> library for 3DES 256 encryption using <i>YpXOUCzTA1ZPhn9HUE0iQX4r<\/i> as key and <i>yNJ48AGX<\/i> as IV. It will be then sent to the C&C server via HTTP POST command. The method used for encryption is uncommon. More information about <i>JKEncrypt <\/i>can be found <a href=\"https:\/\/github.com\/jukai9316\/JKEncrypt\" target=\"_blank\" rel=\"noopener\">here<\/a>. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/figure-8-JKEncrypt-encryption-routine-before-sending-data-to-CnC.png\" alt=\"JKEncrypt encryption routine before sending data to C&C\"><figcaption>Figure 8. JKEncrypt encryption routine before sending data to C&C<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>After the encryption is run, it will prompt for the user password using the following message box:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/figure-9-message-box-that-prompts-user-to-input-password-to-be-stolen-later.png\" alt=\"Message box that prompts user to input password to be stolen later\"><figcaption>Figure 9. Message box that prompts user to input password to be stolen later<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The password typed in by the user of the infected device will be encrypted and sent to the C&C server via HTTP POST command. The collected password may be used to decrypt the user’s Keychain.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/figure-10-password-data-before-being-encrypted-and-sent.png\" alt=\"Password data before being encrypted and sent\"><figcaption>Figure 10. Password data before being encrypted and sent<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/figure-11-code-snippet-of-password-stealing-routine.png\" alt=\"Code snippet of password stealing routine.\"><figcaption>Figure 11. Code snippet of password stealing routine.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>Once the malware is done stealing sensitive information, the app\u2019s original routine is run.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/figure-12-the-main-routine-of-the-app-after-malicious-routines.png\" alt=\"The main routine of the app after malicious routines\"><figcaption>Figure 12. The main routine of the app after malicious routines<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The other dropped file, ~\/Library\/Google\/Plug-ins\/Google, has the similar keychain stealing routine of the ResignTool binary. In addition, it also contains a routine where it continuously communicates with the C&C server at 10-minute intervals. The code snippet of this routine is shown in Figure 13.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/figure-13-code-snippet-of-the-folder-showing-it-communicates-with-CnC-every-600-seconds-10-minutes.png\" alt=\"Code snippet of the folder, showing it communicates with C&C every 600 seconds (10 minutes)\"><figcaption>Figure 13. Code snippet of the folder, showing it communicates with C&C every 600 seconds (10 minutes)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p><b><span class=\"body-subhead-title\">Code signing and other information<\/span><\/b><\/p>\n<p>Applications that can be used in the Apple environment are usually available on the App Store. However, some applications might be unavailable there. Software types like ResignTool need to use Developer ID, as well as to have proper notarization by Apple to be validated as legitimate software. This <i>.pkg<\/i> file was signed with the Developer ID \u201cfenghua he\u201d (32W7BZNTSV). However, since the application is an open-source app, it can be easily tampered by malicious actors, as can be seen here.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/figure-14-code-signing-of-archive.pkg.jpg\" alt=\"Code signing of archive.pkg\"><figcaption>Figure 14. Code signing of archive.pkg<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Also, it is worth noting that they also have an ad-hoc signature with the identifier <i>com.injoy.ResignTool<\/i> added to the ResignTool Mach-O binary.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/figure-15-code-signing-of-app-bundle-ResignTool.app.png\" alt=\"Code signing of app bundle ResignTool.app\"><figcaption>Figure 15. Code signing of app bundle ResignTool.app<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.610328638498\">\n<div readability=\"18.286384976526\">\n<p><b><span class=\"body-subhead-title\">Conclusion<\/span><\/b><\/p>\n<p>In a world where open-source applications and file-sharing websites are a practical choice to mitigate costs, it always pays to be vigilant. In this entry, we have discovered that an open-source application is being used as a means to infect those who are looking into the benefits of downloading a potentially free application.<\/p>\n<p>When browsing on the web, we recommend checking that all websites are legitimate to avoid downloading suspicious files. Doing this also prevents unwanted programs and threats on your system. We also advise users to protect their Apple devices with products and services that safeguard applications and files. Trend Micro’s <a href=\"https:\/\/www.trendmicro.com\/en_us\/forHome\/products\/mobile-security.html\">Mobile Security<\/a> guarantees that downloaded apps and files are free from threats, while <a href=\"https:\/\/www.trendmicro.com\/en_us\/forHome\/products\/antivirus-for-mac.html\">Antivirus for Mac<\/a> scans Mac devices to prevent malware so that users’ work is remains uninterrupted.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div class=\"responsive-table-wrap\" readability=\"7\">\n<p><b><span class=\"body-subhead-title\">Indicators of Compromise (IOCs)<\/span><\/b><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"100%\">\n<tbody readability=\"11\">\n<tr>\n<td>Sha256<\/td>\n<td>Detection<\/td>\n<td>File name<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>7593ec1357315431b04a17a55f01bd1295ca4b00ce8b910f8854a7e414e8f2cc<\/td>\n<td>TrojanSpy.MacOS.KEYSTEAL.A<\/td>\n<td>archive.pkg<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>410da3923ea30d5fdd69b9ae69716b094d276cc609f76590369ff254f71c65da<\/td>\n<td>TrojanSpy.MacOS.KEYSTEAL.A<\/td>\n<td>Applications\\ResignTool.app\\Contents\\MacOS\\ResignTool<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>f5b4a388fee4183dfa46908000c5c50dceb4bf8025c4cfcb4d478c5d03833202<\/td>\n<td>TrojanSpy.MacOS.KEYSTEAL.A<\/td>\n<td>Library\\QuickTime\\Google Chrome<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>16758a57928f9d31c76d0ace8f89b4367d849ccbf20441845af32e2768209a81<\/td>\n<td>TrojanSpy.MacOS.KEYSTEAL.A<\/td>\n<td>Applications\\ResignTool.app\\Contents\\Resources\\CodeSignature<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"29.778853914447\">\n<div class=\"responsive-table-wrap\" readability=\"8.3753026634383\">\n<p><b><span class=\"body-subhead-title\">MITRE tactics, techniques, and procedures (TTPs)<\/span><\/b><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"100%\">\n<tbody readability=\"18.090756302521\">\n<tr>\n<td>Tactic<\/td>\n<td>ID<\/td>\n<td>Name<\/td>\n<td>Description<\/td>\n<\/tr>\n<tr readability=\"3.6842105263158\">\n<td>Persistence<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1543\/004\/\" target=\"_blank\" rel=\"noopener\">T1543.004<\/a><\/td>\n<td>Create or Modify System Process: Launch Daemon<\/td>\n<td>Launch Daemon created for persistence routine<\/td>\n<\/tr>\n<tr readability=\"3.6785714285714\">\n<td>Persistence<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1543\/001\/\" target=\"_blank\" rel=\"noopener\">T1543.001<\/a><\/td>\n<td>Create or Modify System Process: Launch Agent<\/td>\n<td>Launch Agent created for persistence routine<\/td>\n<\/tr>\n<tr readability=\"3.6210526315789\">\n<td>Execution<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1204\/002\/\">T1204.002<\/a><\/td>\n<td>User Execution: Malicious File<\/td>\n<td>Requires victim to run the malware pkg file.<\/td>\n<\/tr>\n<tr readability=\"4.7593582887701\">\n<td>Defense Evasion<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1222\/002\/\">T1222.002<\/a><\/td>\n<td>File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification<\/td>\n<td>uses chmod +x to modify dropped file execution privileges<\/td>\n<\/tr>\n<tr readability=\"3.7482517482517\">\n<td>Defense Evasion<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1036\/005\/\" target=\"_blank\" rel=\"noopener\">T1036.005<\/a><\/td>\n<td>Masquerading: Match Legitimate Name or Location<\/td>\n<td>Dropped file have \u201c~\/Library\/Google\/Plug-ins\/Google\u201d as filename<\/td>\n<\/tr>\n<tr readability=\"3.702479338843\">\n<td>Defense Evasion<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1553\/001\/\" target=\"_blank\" rel=\"noopener\">T1553.001<\/a><\/td>\n<td>Subvert Trust Controls: Gatekeeper Bypass<\/td>\n<td>Uses \u201cxattr -c -r\u201d to remove quarantine attribute<\/td>\n<\/tr>\n<tr readability=\"3.6326530612245\">\n<td>Credential Access<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1555\/001\/\" target=\"_blank\" rel=\"noopener\">T1555.001<\/a><\/td>\n<td>Credentials from Password Stores: Keychain<\/td>\n<td>Steals keychain information<\/td>\n<\/tr>\n<tr readability=\"3.6326530612245\">\n<td>Credential Access<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1056\/002\/\" target=\"_blank\" rel=\"noopener\">T1056.002<\/a><\/td>\n<td>Input Capture: GUI Input Capture<\/td>\n<td>Displays GUI to capture user password<\/td>\n<\/tr>\n<tr readability=\"3.6814159292035\">\n<td>Command and Control<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1132\/002\/\" target=\"_blank\" rel=\"noopener\">T1132.002<\/a><\/td>\n<td>Data Encoding: Non-Standard Encoding<\/td>\n<td>Uses JKEncrypt library for 3DES 256 encryption<\/td>\n<\/tr>\n<tr readability=\"1.8630136986301\">\n<td>Exfiltration<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1041\/\" target=\"_blank\" rel=\"noopener\">T1041<\/a><\/td>\n<td>Exfiltration Over C&C Channel<\/td>\n<td>Sends data to C&C server<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Open-source applications are a practical way to save money while keeping up with your productivity. However, this can be abused by threat actors to steal your data. Find out how one app was used to gather information of Apple users. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":49347,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9513],"class_list":["post-49346","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware"],"yoast_head":"\n<title>Pilfered Keys: Free App Infected by Malware Steals Keychain Data 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Pilfered Keys: Free App Infected by Malware Steals Keychain Data 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-16T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/Pilfered-Keys-Free-App-Infected-by-Malware-Steals-Keychain-Data-641.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Pilfered Keys: Free App Infected by Malware Steals Keychain Data\",\"datePublished\":\"2022-11-16T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/\"},\"wordCount\":1510,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/\",\"name\":\"Pilfered Keys: Free App Infected by Malware Steals Keychain Data 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data.png\",\"datePublished\":\"2022-11-16T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/#primaryimage\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data.png\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data.png\",\"width\":465,\"height\":578},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Pilfered Keys: Free App Infected by Malware Steals Keychain Data\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Pilfered Keys: Free App Infected by Malware Steals Keychain Data 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/","og_locale":"en_US","og_type":"article","og_title":"Pilfered Keys: Free App Infected by Malware Steals Keychain Data 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-11-16T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/Pilfered-Keys-Free-App-Infected-by-Malware-Steals-Keychain-Data-641.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Pilfered Keys: Free App Infected by Malware Steals Keychain Data","datePublished":"2022-11-16T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/"},"wordCount":1510,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Malware"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/","url":"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/","name":"Pilfered Keys: Free App Infected by Malware Steals Keychain Data 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data.png","datePublished":"2022-11-16T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data.png","width":465,"height":578},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Pilfered Keys: Free App Infected by Malware Steals Keychain Data"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49346","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=49346"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49346\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/49347"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=49346"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=49346"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=49346"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":49346,"date":"2022-11-16T00:00:00","date_gmt":"2022-11-16T00:00:00","guid":{"rendered":"urn:uuid:de3fdc78-a4c0-5ccc-eb62-7b4940d7e05c"},"modified":"2022-11-16T00:00:00","modified_gmt":"2022-11-16T00:00:00","slug":"pilfered-keys-free-app-infected-by-malware-steals-keychain-data","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/pilfered-keys-free-app-infected-by-malware-steals-keychain-data\/","title":{"rendered":"Pilfered Keys: Free App Infected by Malware Steals Keychain Data"},"content":{"rendered":"