It’s certainly possible, but it’s more complicated. I don’t know of any actual malware going around, but people have made mistakes with similar effects. (I know of mistakes that have been found; obviously, I don’t know how many haven’t been.)

If you put malware into closed-source software, the only way to find it is to detect the effects and analyze the binary. There are people who are very good at analyzing the binary.

In open-source software, anybody can look at the source code. Not many will, for most packages, but there’s a much higher chance of being found out. Once found out, anybody can patch the software to do the good things without the bad. Moreover, most open source software has publicly available repositories, which means that anybody can track down the history of the code, and (at least to a pseudonym) who did what. There is also a tendency to produce more readable code in open source, so that changes will stand out more.

The caveat, of course, is that most of us really don’t know what to look for in software security. If I run a compression program, and it compresses my file to a shorter version that looks like gibberish, and I can get the original back, I know that’s working. If it changes it to gibberish that it claims is encrypted, I don’t know a priori how to tell if it’s well encrypted.