New Mac Malware Takes Screenshots And Uploads Them Without Permission

KITM_screenshot_dump_folder

A new piece of Mac malware has been discovered. The virus installs itself as “macs.app” and silently takes screenshots to then upload to shady servers. It doesn’t appear to be very widespread at the moment.

The malware was uncovered on an African activist’s Mac at the Oslo Freedom Forum, an annual event dedicated to “exploring how best to challenge authoritarianism and promote free and open societies.”

Once installed, macs.app runs in the background and repeatedly takes screenshots. Each image is then stored in an unsuspecting folder in the user’s home directory. From there, the screenshots are uploaded to “securitytable.org” and “docsforum.inf,” which are both unavailable domains.

Unlike most Mac malware, a valid Apple Developer ID is associated with macs.app to get it past Gatekeeper, Apple’s security system in OS X Mountain Lion. The ID is assigned to Rajender Kumar. Apple has the ability to revoke the ID’s privileges, and then this malware would assumedly be dead in the water.

A malicious tool that only takes screenshots to upload is pretty unique, so this is likely not part of a larger attack.

  • dcj001

    “The virus installs itself as ‘macs.app'”

    Is it “macsapp,” as written repeatedly in the article, or “macapp” as shown in the image?

  • go2pear

    Malware on iOS wow and now we can waiting on viruses :-(

    ————————-
    follow us http://go2pear.com

  • DariusPicard

    The malware is for OS X not iOS. The executable is called macs.app and the folder in which it stores the screenshots is MacApp.

About the author

Alex HeathAlex Heath has been a staff writer at Cult of Mac for three years. He is also a co-host of the CultCast. He has been quoted by the likes of the BBC, KRON 4 News, and books like "ICONIC: A Photographic Tribute to Apple Innovation." If you want to pitch a story, share a tip, or just get in touch, additional contact information is available on his personal site. Twitter always works too.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News | Tagged: , |