Mac malware discovered in the wild allows webcam photos, screenshots, key-logging

移动互联 2017-07-25

Mac malware discovered in the wild allows webcam photos, screenshots, key-logging

Ben Lovejoy

- Jul. 25th 2017 4:01 am PT


View Comments

A security researcher has discovered a piece of Mac malware that allows an attacker to activate the webcam to take photos, take screenshots and capture keystrokes.

Synack researcher Patrick Wardle says that the malware has been infecting Macs for at least five years, and possibly even a decade …


The malware is a variant on Fruitfly, discoveredback in January and blocked by a macOS update shortly afterwards. Fruitfly used antiquated code that actually predates OS X, and was used in targeted attacks against biomedical research institutions.

Wardle told ArsTechnica that the variant was mostly found in Macs in homes in the USA.

After analyzing the new variant, Wardle was able to decrypt several backup domains that were hardcoded into the malware. To his surprise, the domains remained available. Within two days of registering one of the addresses, close to 400 infected Macs connected to the server, mostly from homes located in the United States. Although Wardle did nothing more than observe the IP address and user names of Macs that connected to his server, he had the ability to use the malware to spy on the users who were unwittingly infected.

Based on analysis of the IP addresses connecting to the server, the malware does not appear to be targeting companies, and also does not appear to be designed to make money.

“I don’t know it if it’s just some bored person or someone with perverse goals,” Wardle said. “If some bored teenager is spying on me, that would still be very emotionally traumatic. If it’s turning on the webcam, that’s for perverse reasons.”

Wardle informed law enforcement officials, and the hardcoded domains have been shut down, neutralizing the threat for now. The researcher has passed details to Apple, and will be speaking more about the malware at the Black Hat Security Conference in Las Vegas, where we’ll also hear more details about the seriouswifi vulnerability fixed in iOS 10.3.3.

It is likely that owners of infected machines were tricked into clicking on a link that installs the malware. As always, you should only ever install apps from the Mac App Store and trusted developers.


Check out 9to5Mac on YouTube for more Apple news:

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels published to date, and an SF novella series coming in March 2017.

Ben Lovejoy's favorite gear


Sony a6300


Extracting Onset (Beat) Times from Audio Files I recently created a video for one of my sketches and wanted the animation to be synchronized with the rhythm of the background track. This is a q...
PSA: Magisk Manager app on Google Play contains ma... If you’re a user ofMagisk for rooting your Android phone, then this might fool you. The creator of Magisk – John Wu – noticed that there is now sudde...
Malware App ‘WhatsApp Plus’ Resurfaces to Steal Pr... Home News Malware App ‘WhatsApp Plus’ Resurfaces to Steal Private Data From Your Android... Malware App ‘WhatsApp Plus’ Resurface...
12 Best Mac (Word Processor) Writing Apps for 2017... There are very few certainties in life: death, taxes, and that, at some point, you’ll need to use a computer to write something. Whether you work in a...
Easy pkgsrc on macOS with pkg_comp 2.0 This is a tutorial to guide you through the shiny new pkg_comp 2.0 on macOS using the macOS-specific self-installer . Goals:to use pkg_com...