Newly Discovered Mac Malware Captures and Stores Screenshots

New Mac spyware was discovered earlier this week on a computer at the Oslo Freedom Forum, an annual human rights conference. Located by computer security researcher Jacob Appelbaum, the malware, which has been deemed OSX/KitM.A, is currently being investigated by anti-virus company F-Secure, reports CNET.

The malware is a backdoor application called "macs.app," which launches automatically upon login and captures screenshots that it then sends to a MacApp folder in the user's home directory. Two command-and-control servers, located at securitytable.org and docsforum.info, are associated with the malware, but one does not function and the other gives a "public access forbidden" message.

macapp
Interestingly, the malware is signed with an Apple Developer ID, which is designed to prevent the installation of malware. Apps that are unsigned are blocked by default by Apple's Gatekeeper security option.

This bit of malware is somewhat unique in that it is signed with what appears to be a valid Apple Developer ID associated with the name Rajender Kumar. Though not an uncommon name, this may be a reference to the late Bollywood actor of a similar name. Regardless, the use of the ID appears to be an attempt to bypass Apple's Gatekeeper execution prevention technology.

Currently, F-Secure is investigating where the malware originated, and though it does not appear to be widespread, it can be mitigated by removing the macs.app program from the log-in menu. Apple often addresses malware threats quickly, and has the ability to revoke the developer ID to further limit the spread of the software.

Top Rated Comments

VoR Avatar
103 months ago
$99 is a small price to pay for a guaranteed safe install of your latest malware app :)
Score: 22 Votes (Like | Disagree)
shareef777 Avatar
103 months ago
I always liked how Apple's gatekeeper design could be easily bypassed by a $100 Apple Developer account.
Score: 18 Votes (Like | Disagree)
Peace Avatar
103 months ago
I'd put this one in the category of stupid-ware.
Score: 14 Votes (Like | Disagree)
nagromme Avatar
103 months ago
Some bad software is installed on a computer. Just one single computer? Did someone sit down and install it? Or was it spread over the network using some security flaw? If someone sat down and installed it, that's not what I'd call "malware." The origin is the key missing part of the story.

I always liked how Apple's gatekeeper design could be easily bypassed by a $100 Apple Developer account.
Only if Apple can't pull the plug. That is the purpose of the certificate--not prevention of attempts in the first place.

Why is the cert for this not revoked already?
When did Apple receive the details on this? And what do they need to do to verify? (Obviously they can't simply obey any random request to shut a developer down, so there must be some verification steps.)
Score: 11 Votes (Like | Disagree)
kidde Avatar
103 months ago
Why is the cert for this not revoked already?
Score: 11 Votes (Like | Disagree)
Tankmaze Avatar
103 months ago
well how do you get the macs.app downloaded and running in the first place unless it's a pebkac. just use common sense people, this malware seems not to be that harmful, albeit it's annoying.
Score: 6 Votes (Like | Disagree)

Top Stories

siir apple event april 20

Siri Reveals Apple Event Planned for Tuesday, April 20

Tuesday April 13, 2021 12:04 am PDT by
Siri has apparently prematurely revealed that Apple plans to hold an event on Tuesday, April 20, where the company is expected to reveal brand new iPad Pro models and possibly its long-awaited AirTags trackers. Subscribe to the MacRumors YouTube channel for more videos. Upon being asked "When is the next Apple Event," Siri is currently responding with, "The special event is on Tuesday, April...
apple event spring loaded

Apple's 'Spring Loaded' Event Officially Announced for Tuesday, April 20

Tuesday April 13, 2021 9:04 am PDT by
Following an overnight leak by Siri, Apple today officially announced that it will be holding a special "Spring Loaded" event on Tuesday, April 20 at 10:00 a.m. Pacific Time at the Steve Jobs Theater on the Apple Park campus in Cupertino, California. As with all of Apple's 2020 events, the April 2021 event will be a digital-only gathering with no members of the media invited to attend in...
pixel watch prosser leak

Google Pixel Watch Allegedly Leaks with Circular Design, Rumored to Launch in October

Monday April 12, 2021 2:49 am PDT by
Renders of Google's first smartwatch, codenamed "Rohan," have been shared by Jon Prosser, showing that Google plans to adopt a circular design for its flagship wearable watch. Prosser shared the renders in an episode of his YouTube show "Front Page Tech," in which he claims they were made based on marketing material he had seen from a source within Google. The renders show that the Pixel...
Google maps feaure green

Google Maps App for iOS Finally Updated After Four Months

Monday April 12, 2021 10:03 am PDT by
Following the completed rollout of App Privacy labels for its App Store apps, Google today updated the Google Maps app for the first time in four months. Apple in December began requiring all new app submissions and app updates to include App Privacy labels, detailing the data that is collected by the app so consumers know what they're sharing. Google didn't begin implementing App Privacy ...
AppleTV and HomePod Feature

Bloomberg: Apple Working on New Apple TV With Integrated HomePod Speaker and FaceTime Camera

Monday April 12, 2021 3:32 am PDT by
Apple is working on a combined Apple TV with HomePod speaker that has a camera for video calls through a connected television set, according to Bloomberg's Mark Gurman. From the report: The company is working on a product that would combine an Apple TV set-top box with a HomePod speaker and include a camera for video conferencing through a connected TV and other smart-home functions,...
samsung experience 1

Samsung's 'iTest' Lets You Try a Galaxy Device on Your iPhone

Thursday April 8, 2021 12:42 pm PDT by
Samsung has launched "iTest," an interactive website experience that's designed to allow iPhone users to test out Android on a Galaxy device, or "sample the other side," as Samsung puts it. Subscribe to the MacRumors YouTube channel for more videos. The iTest website is being advertised in New Zealand, according to a MacRumors reader who came across the feature. Visiting the iTest website on...
epic iap feature 3

Tim Cook Says App Store Would Become a 'Flea Market' if Third-Party Payment Systems Were Allowed

Monday April 12, 2021 9:41 am PDT by
In a recent interview with the Toronto Star, Apple CEO Tim Cook spoke about a wide variety of topics, ranging from App Tracking Transparency to Apple's ongoing legal battle over App Store policies with Fortnite creator Epic Games. Notably, Cook said that Epic Games' desire for Apple to let developers offer their own payment systems in apps "would make the App Store a flea market":At the...
tim cook toronto star

Tim Cook Says Apple is 'Not Against Digital Advertising' Ahead of iOS 14.5 Launch With App Tracking Transparency

Monday April 12, 2021 8:00 am PDT by
Starting with iOS 14.5, iPadOS 14.5, and tvOS 14.5, Apple will be requiring apps to receive a user's permission to track their activity for targeted advertising purposes, as part of a privacy measure known as App Tracking Transparency. Ahead of App Tracking Transparency being enforced, Apple CEO Tim Cook has participated in a privacy-focused interview with the Toronto Star, telling the...
a13 bionic mockup

Apple Made Sudden Security Changes to its Chips in Fall 2020

Monday April 12, 2021 8:15 am PDT by
Apple made unusual mid-production hardware changes to the A12, A13, and S5 processors in its devices in the fall of 2020 to update the Secure Storage Component, according to Apple Support documents. According to an Apple Support page, spotted by Twitter user Andrew Pantyukhin, Apple changed the Secure Enclave in a number of products in the fall of 2020:Note: A12, A13, S4, and S5 products...
HomePod G4 Feature

Bloomberg: Future HomePod May Feature iPad Connected Via Robotic Arm to Track Users Around The Room During FaceTime Calls

Monday April 12, 2021 3:50 am PDT by
In a report outlining a possible Apple TV with a combined HomePod and camera, Bloomberg's Mark Gurman says that Apple is exploring a future high-end HomePod speaker that could include an iPad connected via a robotic arm that tracks and follows users around a room. From the report: The Cupertino, California-based technology giant, is also mulling the launch of a high-end speaker with a touch ...