FacebookTwitterLinkedIn

How to remove TrafficStealer from the operating system

Also Known As: TrafficStealer traffic app
Type: Mac Virus
Damage level: Severe

Tomas Meskauskas Written by on (updated)

What is TrafficStealer?

The TrafficStealer malware employs open container APIs to redirect web traffic to specific sites and manipulate user interaction with ads. Through the use of Docker containers, this program generates profits by sending traffic to monetized destinations. Despite appearing to be legitimate, the software includes compromised elements.

TrafficStealer unwanted application

TrafficStealer overview

TrafficStealer is associated with a service that provides "traffic monetization". The service offers payment to users who install software that reroutes network traffic from multiple mobile app users through the container application. In this model, subscribers can earn money by directing their network traffic through their network.

When users register for the service, they are assigned a unique token that serves as an identification code. This code is used to retrieve the possible revenue earned from directing traffic through their network.

After the attacker's software or container is installed or activated, the traffic that passes through the subscriber's device acting as a proxy becomes invisible. The operation of TrafficStealer is based on a combination of techniques. The software developers assert that the traffic it generates is not illegal, but they also deny ownership of any traffic created on the client.

TrafficStealer's techniques include web crawling and click simulation. Web crawling involves scanning the internet to locate high-potential ad revenue websites. Once identified, cybercriminals use the network to drive traffic towards these sites. Click simulation generates fake clicks on ads displayed on targeted websites to boost engagement and increase ad revenue for attackers.

The communication between the server and the clients is encrypted, and an unconventional TCP port is used, which can raise suspicion. Legitimate clients seeking to evaluate their ad performance may be required to pay for the utilization of the traffic, and they may also have unknown traffic redirected through their networks.

To use the official service, users must establish an account to create a token and unique ID for the local service execution. However, it is known that the attackers behind TrafficStealer hardcode their token and pass it as a parameter during container creation.

This discovery of TrafficStealer in a container highlights how threat actors exploit popular platforms. Subscribers may not be making the promised profit, and unwitting users may be generating revenue for attackers without their knowledge.

This results in losses from cloud service charges. Users have no control over the traffic using their network as a proxy, and their IP address may be logged for criminal activities without their authorization.

Threat Summary:
Name TrafficStealer traffic app
Threat Type Unwanted application, Mac malware, Mac virus
Supposed Functionality Traffic monetizer
Detection Names (Installer) ALYac (Trojan.OSX.Agent), Combo Cleaner (Application.MAC.Generic.1625), Emsisoft (Application.MAC.Generic.1625 (B)), Kaspersky (Not-a-virus:UDS:Server-Proxy.OSX.Monetizer), Full List Of Detections (VirusTotal)
Detection Names (Traffmonetier app) Arcabit (Application.MAC.Generic.D659 [many]), Combo Cleaner (Application.MAC.Generic.1625), Emsisoft (Application.MAC.Generic.1625 (B)), Kaspersky (Not-a-virus:HEUR:Server-Proxy.OSX.Monetizer.gen), Full List Of Detections (VirusTotal)
Symptoms A program that you do not recall installing suddenly appeared on your computer. A new application is performing computer scans and displays warning messages about 'found issues'. Asks for payment to eliminate the supposedly found errors.
Distribution Methods Applications containing compromised elements
Damage Monetary loss, slow computer performance.
Malware Removal (Mac)

To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner.
▼ Download Combo Cleaner for Mac
To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Summary

TrafficStealer is a type of malware that operates by rerouting internet traffic towards specific websites and manipulating user interactions with advertisements. It is typically run through containerized applications and can be used by threat actors to generate revenue by directing traffic towards monetized sources.

The software utilizes various techniques such as web crawling and click simulation to increase engagement with ads, resulting in higher ad revenue for attackers. TrafficStealer can be used to exploit unwitting users who may be generating revenue for attackers without their knowledge or consent.

How did TrafficStealer install on my computer?

It is known that threat actors use an app called Traffmonetizer to perform web crawling and click simulation. The app itself appears to be legitimate but contains compromised elements. It is available on its official website, Google Play, and possibly other platforms.

How to avoid installation of unwanted applications?

Only download apps from official websites and app stores such as Google Play or Apple App Store. Read reviews and check ratings before downloading an app. Avoid downloading apps with negative reviews or low ratings. Check the permissions requested by the app before downloading.

Keep your device's operating system and apps up-to-date. Be wary of offers for free apps, as they may contain adware or malware. Do not trust advertisements and pop-ups on dubious websites. If your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate all threats.

The appearance of Traffmonetizer application:

TrafficStealer malware Traffmonetizer app

Traffmonetizer's installer:

TrafficStealer malware Traffmonetizer installer

 

Instant automatic Mac malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
 ▼ DOWNLOAD Combo Cleaner for Mac By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Quick menu:

Video showing how to remove adware and browser hijackers from a Mac computer:

Potentially unwanted applications removal:

Remove potentially unwanted applications from your "Applications" folder:

Manual removal of malicious Mac applications

Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.

Remove adware-related files and folders

Mac Go To Folder step

Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...

Mac removing related files and folders - step 1Check for adware generated files in the /Library/LaunchAgents/ folder:

Mac go to /Library/LaunchAgents - step 1

In the Go to Folder... bar, type: /Library/LaunchAgents/

Mac go to /Library/LaunchAgents - step 2

In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.

Mac removing related files and folders - step 2Check for adware generated files in the ~/Library/Application Support/ folder:

Mac go to /Library/Application Support - step 1

In the Go to Folder... bar, type: ~/Library/Application Support/

Mac go to /Library/Application Support - step 2

In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.

Mac removing related files and folders - step 3Check for adware generated files in the ~/Library/LaunchAgents/ folder:

Mac go to ~/Library/LaunchAgents - step 1

In the Go to Folder... bar, type: ~/Library/LaunchAgents/

Mac go to ~/Library/LaunchAgents - step 2

In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.

Mac removing related files and folders - step 4Check for adware generated files in the /Library/LaunchDaemons/ folder:

Mac go to /Library/LaunchDaemons - step 1

In the "Go to Folder..." bar, type: /Library/LaunchDaemons/

Mac go to /Library/LaunchDaemons - step 2

In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.

Mac removing malware related files and folders - step 5Scan your Mac with Combo Cleaner:

If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.

Mac remove malware with Combo Cleaner - step 1

Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.

Mac remove malware with Combo Cleaner - step 2

After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.

Remove malicious extensions from Internet browsers

Safari iconRemove malicious Safari extensions:

Removal of malicious extensions in Safari - step 1

Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".

Removal of malicious extensions in Safari - step 2

In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.

Google Chrome logoRemove malicious extensions from Google Chrome:

Removal of malicious extensions in Google Chrome - step 1

Click the Chrome menu icon Google Chrome menu icon (at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".

Removal of malicious extensions in Google Chrome - step 2

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.

Mozilla Firefox logoRemove malicious extensions from Mozilla Firefox:

Removal of malicious extensions in Mozilla Firefox - step 1

Click the Firefox menu firefox menu icon (at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".

Removal of malicious extensions in Mozilla Firefox - step 2

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.

Frequently Asked Questions (FAQ)

My computer is infected with TrafficStealer malware, should I format my storage device to get rid of it?

Formatting your storage device can effectively remove malware like TrafficStealer from your computer. However, before taking such a drastic step, you can try running anti-malware software to remove the malware.

What are the biggest issues that malware can cause?

The consequences of malware can vary and may include identity theft, financial losses, data losses, diminished computer performance, and the possibility of additional infections.

What is the purpose of TrafficStealer?

The purpose of TrafficStealer is to reroute internet traffic towards designated websites and manipulate user interaction with advertisements in order to generate revenue for the attacker. It uses open container APIs and Docker containers to achieve this goal.

How did a malware infiltrate my computer?

Malware can infiltrate your computer through phishing emails, software vulnerabilities, infected downloads, drive-by downloads, social engineering tactics, malicious ads, etc.

Will Combo Cleaner protect me from malware?

Combo Cleaner can detect and remove nearly all known malware infections, but it is important to note that sophisticated malware can often be deeply hidden in the system. Therefore, it is essential to perform a full system scan.

▼ Show Discussion

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Removal Instructions in other languages
New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Top Removal Guides
QR Code
TrafficStealer traffic app QR code
Scan this QR code to have an easy access removal guide of TrafficStealer traffic app on your mobile device.
We Recommend:

Get rid of Mac malware infections today:

▼ REMOVE IT NOW
Download Combo Cleaner for Mac

Platform: macOS

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.