Got a tip for us? Share it...

New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Newly Discovered Mac Malware Captures and Stores Screenshots

New Mac spyware was discovered earlier this week on a computer at the Oslo Freedom Forum, an annual human rights conference. Located by computer security researcher Jacob Appelbaum, the malware, which has been deemed OSX/KitM.A, is currently being investigated by anti-virus company F-Secure, reports CNET.

The malware is a backdoor application called "macs.app," which launches automatically upon login and captures screenshots that it then sends to a MacApp folder in the user's home directory. Two command-and-control servers, located at securitytable.org and docsforum.info, are associated with the malware, but one does not function and the other gives a "public access forbidden" message.

macapp
Interestingly, the malware is signed with an Apple Developer ID, which is designed to prevent the installation of malware. Apps that are unsigned are blocked by default by Apple's Gatekeeper security option.
This bit of malware is somewhat unique in that it is signed with what appears to be a valid Apple Developer ID associated with the name Rajender Kumar. Though not an uncommon name, this may be a reference to the late Bollywood actor of a similar name. Regardless, the use of the ID appears to be an attempt to bypass Apple's Gatekeeper execution prevention technology.
Currently, F-Secure is investigating where the malware originated, and though it does not appear to be widespread, it can be mitigated by removing the macs.app program from the log-in menu. Apple often addresses malware threats quickly, and has the ability to revoke the developer ID to further limit the spread of the software.

Top Rated Comments

(View all)

17 months ago
$99 is a small price to pay for a guaranteed safe install of your latest malware app :)
Rating: 22 Votes
17 months ago
I always liked how Apple's gatekeeper design could be easily bypassed by a $100 Apple Developer account.
Rating: 18 Votes
17 months ago
I'd put this one in the category of stupid-ware.
Rating: 14 Votes
17 months ago
Why is the cert for this not revoked already?
Rating: 11 Votes
17 months ago
Some bad software is installed on a computer. Just one single computer? Did someone sit down and install it? Or was it spread over the network using some security flaw? If someone sat down and installed it, that's not what I'd call "malware." The origin is the key missing part of the story.

I always liked how Apple's gatekeeper design could be easily bypassed by a $100 Apple Developer account.


Only if Apple can't pull the plug. That is the purpose of the certificate--not prevention of attempts in the first place.

Why is the cert for this not revoked already?


When did Apple receive the details on this? And what do they need to do to verify? (Obviously they can't simply obey any random request to shut a developer down, so there must be some verification steps.)
Rating: 11 Votes
17 months ago
well how do you get the macs.app downloaded and running in the first place unless it's a pebkac. just use common sense people, this malware seems not to be that harmful, albeit it's annoying.
Rating: 6 Votes
17 months ago

Why is the cert for this not revoked already?


Maybe it has, have you checked?
Rating: 5 Votes
17 months ago

My last macbook pro got a virus. Unfortunately, its a reality that macs can get them.

That, and other reasons, is why I sold it for a Surface Pro. Could not have been happier! :)


yeh right. just what "virus" did you get on your macbook?
Rating: 5 Votes
17 months ago

So Apple can pull a kill switch on this then, right?

Apple may have planted it themselves just so they'd have an opportunity to demonstrate how they can kill malware by making devs sign apps and forbidding unsigned apps from running.


Hitting that kill switch will prevent further installations (since the app will no longer be trusted), but I don't think it will block the app from running if it is already installed on your Mac.
Rating: 4 Votes
17 months ago
So Apple can pull a kill switch on this then, right?

Apple may have planted it themselves just so they'd have an opportunity to demonstrate how they can kill malware by making devs sign apps and forbidding unsigned apps from running.
Rating: 4 Votes

[ Read All Comments ]