New surveillance malware hits Apple Macs, most in America. (Photo by Justin Sullivan/Getty Images)
Apple Mac malware outbreaks are rare. So when they happen, people pay attention.
Law enforcement agents are now investigating what appears to be a slice of malicious code that’s been hitting Mac users in recent weeks and appears to be purely for targeted surveillance, though it’s unclear whether it’s for perverse reasons, or if it’s government-related. Patrick Wardle, an ex-NSA analyst who now does research for cybersecurity firm Synack, says he saw around 400 infections, but there’s likely many more as he only had access to a handful of servers used to control the malware, dubbed FruitFly. “I likely only saw a limited percentage of the total number of victims,” Wardle said.
He was able to uncover FruitFly victims after registering one of the domains the attackers had planned to use as back up when the primary servers were offline. For whatever reason, the hackers didn’t own the domain.
From there, Wardle could see victim IP addresses, 90% of which were located in the U.S., he told Forbes. He was also able to see the name of victims’ Mac computers too, making it “really easy to pretty accurately say who is getting infected.” Most appeared to be individuals, though there were some at colleges too, he said. As soon as Wardle saw active infections, he handed what he found to law enforcement. He’ll present his findings at the Black Hat conference taking place later this week.
He believes surveillance was the primary purpose of FruitFly, which could spy on the webcam of the user and take screenshots. “This didn’t look like cybercrime type behaviour, there were no ads, no keyloggers, or ransomware,” he said. “Its features had looked like they were actions that would support interactivity: it had the ability to alert the attacker when users were active on the computer, it could simulate mouse clicks and keyboard events.”
Old Apple spy tool
It appears to be old malware too, said Wardle. Comments in the FruitFly code included references to updates for Mac OS X Yosemite, first released in 2014, indicating the spyware was running before that.
Outside of a lack of insight into the other servers, which could push the infections numbers up drastically, it’s also as yet unclear how FruitFly has infected Apple Macs. Apple had not responded to a request for comment.
FruitFly has been seen before too. MalwareBytes first detected it earlier this year apparently targeting biomedical research centers. “The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure,” wrote MalwareBytes researcher Thomas Reed in January. “Although there is no evidence at this point linking this malware to a specific group, the fact that it’s been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage.”
But there’s no indication just what the motivations of the malware’s creators are. Looking at the code alone, it may be they’re simply trying to spy on random individuals through their webcams.