Scary Mac Spyware Went Undetected for Years – Possibly Designed by a “Bored Person With Perverse Goals”

Author Photo
Jul 25, 2017
16Shares
Submit

A new Mac malware that went undetected for possibly over a decade has now been discovered by a security researcher. The spyware enables attackers to activate webcam, capture keystrokes, and take screenshots of the target device, according to Patrick Wardle, a security researcher at Synack.

“Perverse” Mac malware discovered in the wild

Researchers are calling this new piece of malware “Perverse” that has been predominantly detected on Macs in the United States. Perverse Mac malware is a variant of Fruitfly that was discovered earlier this year in January. Apple had blocked this with a macOS update after it successfully ran in the wild for over two years. Both these malicious programs capture screenshots, record keystrokes, shoot webcam images, and get information about the infected devices. Fruitfly had used antiquated code that predated OS X and was used in targeted attacks against biomedical research institutions.

macbook-pro-touch-bar-15RelatedApple’s Mac Updates Are Failing, But the Company Disregards It as an “Industry-Wide Issue”

However, unlike Fruitfly, Perverse Mac malware has been infecting machines for a much longer time and has infected more Macs than Fruitfly’s target of a particular industry.

“The variant found by Wardle, by contrast, has infected a much larger number of Macs while remaining undetected by both macOS and commercial antivirus products,” ArsTechnica reports (emphasis is ours).

After analyzing the new variant, Wardle was able to decrypt several backup domains that were hardcoded into the malware. To his surprise, the domains remained available. Within two days of registering one of the addresses, close to 400 infected Macs connected to the server, mostly from homes located in the United States. Although Wardle did nothing more than observe the IP address and user names of Macs that connected to his server, he had the ability to use the malware to spy on the users who were unwittingly infected.

Remember this is the everyday users we are talking about here, not the political, military, corporate, or other targets that sophisticated attackers have.

“This shows that there are people who are sick in the head who are attacking everyday Mac users for insidious goals,” Wardle said.

apple-mac-malwareRelatedNew Signed Adware Spotted in the Wild Bypasses Apple’s Gatekeeper to Hijack Macs

Enables Keylogging and Webcam Access

However, the attacker’s intentions remain unclear as there isn’t any evidence that the malware can be used to install ransomware or collect banking credentials.

“I don’t know if it’s just some bored person or someone with perverse goals,” Wardle said. “If some bored teenager is spying on me, that would still be very emotionally traumatic. If it’s turning on the webcam, that’s for perverse reasons.”

The security researchers aren’t also clear how these machines in the USA were targeted. Wardle suspects that the hackers could have tricked users into clicking malicious links.

The hardcoded domains have now been shut down after Wardle informed the law enforcement agencies and he has also informed Apple of this newly detected but super old Mac malware. As reported last year, Wardle’s Oversight notifies users whenever an app tries to access your Mac’s webcam or microphone.

“A lot of Mac users are overconfident in the security of their Mac,” Wardle said. “[It] just goes to reiterate to everyday users that there are perhaps people out there trying to hack their computers.”

Submit