Newly Discovered Mac Malware Captures and Stores Screenshots

New Mac spyware was discovered earlier this week on a computer at the Oslo Freedom Forum, an annual human rights conference. Located by computer security researcher Jacob Appelbaum, the malware, which has been deemed OSX/KitM.A, is currently being investigated by anti-virus company F-Secure, reports CNET.

The malware is a backdoor application called "macs.app," which launches automatically upon login and captures screenshots that it then sends to a MacApp folder in the user's home directory. Two command-and-control servers, located at securitytable.org and docsforum.info, are associated with the malware, but one does not function and the other gives a "public access forbidden" message.

macapp
Interestingly, the malware is signed with an Apple Developer ID, which is designed to prevent the installation of malware. Apps that are unsigned are blocked by default by Apple's Gatekeeper security option.

This bit of malware is somewhat unique in that it is signed with what appears to be a valid Apple Developer ID associated with the name Rajender Kumar. Though not an uncommon name, this may be a reference to the late Bollywood actor of a similar name. Regardless, the use of the ID appears to be an attempt to bypass Apple's Gatekeeper execution prevention technology.

Currently, F-Secure is investigating where the malware originated, and though it does not appear to be widespread, it can be mitigated by removing the macs.app program from the log-in menu. Apple often addresses malware threats quickly, and has the ability to revoke the developer ID to further limit the spread of the software.

Popular Stories

iOS 18

Apple Releases iOS 18.5 With New Wallpaper, Screen Time Changes, Carrier Satellite Support for iPhone 13 and More

Monday May 12, 2025 10:06 am PDT by
Apple today released iOS 18.5 and iPadOS 18.5, the fifth updates to the iOS 18 and iPadOS 18 operating systems that came out last September. iOS 18.5 and iPadOS 18.5 come a little over a month after Apple released iOS 18.4 and iPadOS 18.4. The new software can be downloaded on eligible iPhones and iPads over-the-air by going to Settings > General > Software Update. The iOS 18.5 update has a...
tvOS 18 Feature

Apple Releases tvOS 18.5

Monday May 12, 2025 10:01 am PDT by
Apple today released tvOS 18.5, the latest version of the tvOS operating system. tvOS 18.5 comes a little over a month after the launch of tvOS 18.4, and it is available for the Apple TV 4K and Apple TV HD models. tvOS 18.5 can be downloaded using the Settings app on the ‌Apple TV‌. Open up Settings and go to System > Software Update to get the new software. ‌Apple TV‌ owners who have...
iPhone 17 Pro Blue Feature Tighter Crop

WSJ: Apple Weighing Price Hikes for iPhone 17 Lineup Without Blaming Tariffs

Monday May 12, 2025 3:36 am PDT by
Apple is considering raising prices for its upcoming iPhone 17 models set to release this fall, according to people familiar with the matter cited by The Wall Street Journal. The company reportedly aims to pair the potential price hikes with new features and design changes to justify the increased cost to consumers, rather than attributing them to U.S. tariffs on goods from China. The...
iOS 18

iOS 18.5 Expected This Week With These New Features

Monday May 12, 2025 7:20 am PDT by
Following more than a month of beta testing, Apple is expected to release iOS 18.5 to the general public this week. While the software update is relatively minor, it still includes a handful of new features and changes for iPhones. Below, we recap everything new in iOS 18.5. Pride Wallpaper Apple recently announced its 2025 Pride Collection, including a new Apple Watch band, watch face,...
macOS Sequoia Feature

Apple Releases macOS Sequoia 15.5

Monday May 12, 2025 10:10 am PDT by
Apple today released macOS Sequoia 15.5, the fifth major update to the macOS Sequoia operating system that launched last September. macOS Sequoia 15.5 comes a little over a month after the launch of macOS Sequoia 15.4. Mac users can download the ‌‌‌macOS Sequoia 15.5‌‌‌ update through the Software Update section of System Settings. It is available for free on all Macs able to run ...
Mayday Calendar

Apple Acquisition Hints at Upgraded Calendar App on iOS 19 or Beyond

Friday May 9, 2025 9:13 am PDT by
Apple acquired Canadian startup Mayday Labs in April 2024, according to a European Commission listing, spotted by French blog MacGeneration. The acquisition had not received widespread attention from tech publications until now. Apple is legally required to report certain acquisitions to the European Commission, under the terms of the EU's Digital Markets Act. Mayday Labs founder Jeremy...
Beyond iPhone 13 Better Triad

20th Anniversary iPhone Will Be Mostly Glass With All-Screen Design

Monday May 12, 2025 2:52 am PDT by
Apple will mark the 10th anniversary of the iPhone X in 2027 by launching a mostly glass, curved iPhone without any cutouts in the display, according to Bloomberg's Mark Gurman. Writing in his latest Power On newsletter, Gurman said the all-screen device will arrive later in 2027, suggesting a fall release. The model will be preceded by Apple's first foldable iPhone, claims the reporter....

Top Rated Comments

VoR Avatar
157 months ago
$99 is a small price to pay for a guaranteed safe install of your latest malware app :)
Score: 22 Votes (Like | Disagree)
shareef777 Avatar
157 months ago
I always liked how Apple's gatekeeper design could be easily bypassed by a $100 Apple Developer account.
Score: 18 Votes (Like | Disagree)
Peace Avatar
157 months ago
I'd put this one in the category of stupid-ware.
Score: 14 Votes (Like | Disagree)
nagromme Avatar
157 months ago
Some bad software is installed on a computer. Just one single computer? Did someone sit down and install it? Or was it spread over the network using some security flaw? If someone sat down and installed it, that's not what I'd call "malware." The origin is the key missing part of the story.

I always liked how Apple's gatekeeper design could be easily bypassed by a $100 Apple Developer account.
Only if Apple can't pull the plug. That is the purpose of the certificate--not prevention of attempts in the first place.

Why is the cert for this not revoked already?
When did Apple receive the details on this? And what do they need to do to verify? (Obviously they can't simply obey any random request to shut a developer down, so there must be some verification steps.)
Score: 11 Votes (Like | Disagree)
kidde Avatar
157 months ago
Why is the cert for this not revoked already?
Score: 11 Votes (Like | Disagree)
Tankmaze Avatar
157 months ago
well how do you get the macs.app downloaded and running in the first place unless it's a pebkac. just use common sense people, this malware seems not to be that harmful, albeit it's annoying.
Score: 6 Votes (Like | Disagree)