Tapsnake Infection: Not Very Likely

Written by

I maintain (when time allows) an independent Mac security site called Mac Virus, where recently I’ve received a few comments regarding the so-called Tapsnake ‘virus’. (Yes, I know that There Are No Mac/OS X Viruses, but there really is OS X-targeting malware, and when the site was launched back in the 90s by Susan Lesch, most of it actually was self-replicating.) 

Some people have been claiming that they’re seeing pop-up messages advising them that their system has been infected and that they should download a security program in order to remove it. 

Well, there is – or was – a program called Tap Snake, detected by some security software as AndroidOS.Tapsnake or a similar name. It was classified as spyware because although it was a version of the game Snake it secretly disclosed the location of the device on which it was installed to a remote server every 15 minutes. Not surprisingly, I guess, the author disagreed. However, both Tap Snake and the GPS Spy app with which it collaborated were pulled from the Android Market (now known as Google Play) years ago.

More recently, there was a spate of fake anti-virus warnings directed against Android users claiming that they'd visited a site that had infected their phones with Tapsnake (often using the more generic name ‘Trojan: MobileOS/Tapsnake’). The change of name probably came about because iPhone users were targeted with similar scareware, even though the Tapsnake app/trojan never targeted iOS users. Come to think of it, I guess the same name would work for Windows phones too, though I haven’t seen any reports indicating that Windows mobile users have been targeted. 

Still, that would be no more bizarre than reports I’ve seen much more recently which indicate that Mac users are being targeted with similar scareware. One report says a user was told that the file /os/apps/snake.icv was responsible: this is the same filename/path that has been flagged in the past as fake anti-virus for Android and possibly for other platforms. One comment to Mac Virus told us that:

They had a number to call so they could fix it and [our daughter] called it before checking with us first. Of course they wanted $250.00 to clean it up. At this point she called us and we told her to get off the phone. He said this virus will infect her phone also.

Unfortunately, the commenter didn’t respond to a request for further specifics. 

Thomas Reed, who maintains the Safe Mac site, told me recently that he has seen a number of reports of scam pop-ups reporting the presence on the victim’s Mac of various examples of malware that wouldn’t actually run on OS X. He also notes that – like the instance just cited – they usually have a number to call for ‘assistance’. This is a little different to the classic tech support scam, though there are certainly instances of support scammers disseminating details of a ‘support’ telephone number so that victims ring them, rather than the scammer necessarily relying on cold-calling (though I’m still getting more than enough support scam calls to indicate that cold-calling is alive and well and living in India). It’s certainly not unusual to see types of scam converging in this way.

While it isn’t possible to confirm exactly what the commenters to Mac Virus are seeing, Thomas suggests that it sounds like adware, perhaps Downlite, for which Apple has revoked two of the certificates used to sign it, and has even added those variants to XProtect.

But what are the real risks?

If you’re using an Android device, it’s unlikely that you’ll come across the original Tapsnake, but there is lots of other Android malware to watch out for, though Google is apt to downplay its impact. AV-Test claimed to have four million samples at the end of 2014, though the number it used in its latest round of tests against 35 Android security programs was far smaller. Nonetheless, if you’re at all worried about those four million samples, you might find it useful to see which programs performed best detection-wise in those tests. AV-Comparatives has also published a number of reports on comparative tests of Android security programs.

What about iPhone users? Certainly I wouldn’t claim that iOS is invulnerable, although most of the out-and-out malware that targets iGadget users relies on the user to jailbreak the device. Not all, though, as Axelle Apvrille noted here. But Tapsnake wasn’t an iOS app, and it’s pretty unlikely that an iOS version would get past Apple’s App Store review – what’s more, there are no full-strength anti-virus programs for iOS, since on-access scanning can’t work because of app-sandboxing. The issues with malicious programs on iOS largely concern malware that isn’t native to iOS but might be transmitted via an iGadget (this is the basis of a product from Intego), and adware, grayware and borderline apps that are ‘possibly unwanted’ rather than malware.

And, finally back where we came in: Tapsnake isn’t/wasn’t native to OS X, either. I won’t mention the products that I’ve seen mentioned as the solution for this non-existent Mac problem, as I don’t know for sure whether they’re directly implicated in the scam or not, though one of them has been flagged in some forums as fake anti-virus.

I would suggest, though, that if you see one of these pop-ups (irrespective of which platform you’re using at the time), the last thing you should do is fly into a panic and hit the install button. That, after all, is what out-and-out fake anti-virus scams want you to do. There are also quite a few security apps that are of limited use at best but can’t necessarily be described as fakes. AV-Comparatives and AV-Test – both members of AMTSO, the Anti-Malware Testing Standards Organization – both perform regular tests on OS X security products, among others. While I’ve spent a lot of my career in security advising against the uncritical acceptance of everything you read in a comparative review, these are reputable and ethical organizations who deal with reputable vendors: they can certainly give you a better view of a range of passable products than a site that tries to trick you into using a particular product by deceiving you into believing that your device is compromised by malware.

What’s hot on Infosecurity Magazine?