This new variant mimics the behavior of previous ones. After getting downloaded and run by the victims who believe they are about to install legitimate software - in this case VKMusic 4 for Mac - the malware presents to them what seems to be a typical installation wizard.
To activate the software, users are urged to enter their mobile phone number, click on the "Send me an SMS" button, then enter the code they receive via SMS into the appropriate field (click on the screenshot to enlarge it):
"But by performing these actions the user agrees to terms of a chargeable subscription and a fee will be debited from their mobile phone account on a regular basis. Such installers usually contain meaningless data or the programs they are supposed to install, which in fact can be downloaded from official sites of their developers free of charge," Dr. Web researchers explain the scheme, and warn users to be wary of installing programs that require them to enter their phone number or send a text message.
As a side note that will be interesting to other malware researchers, the malicious installer has been created with and is being distributed via ZipMonster, a well-known Russian-language affiliate program.
UPDATE: Apple has added the definitions for the Trojan.SMSSend.3666 to its "Xprotect.plist" blacklist. OS X malware tools are updated daily, so the majority of users is now protected from this Trojan variant.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.