Yet another strain of malware targeted at Mac users has popped up this week to prove you shouldn’t disable the Gatekeeper feature baked into OS X. “OSX/Keydnap” disguises itself as an innocent text or image file, then installs malicious code onto your Mac.
The latest find, made by researchers at the security firm ESET, comes just days after the discovery of “Backdoor.MAC.Eleanor,” which has the ability to take full control of your Mac. OSX/Keydnap goes after your saved passwords instead.
The malware actually makes its way onto your Mac as a compressed .zip file containing what appears to be either a text document or JPEG image. However, the file’s name has a trailing space, which opens the Mach-O executable in Terminal by default.
When you attempt to open the file, then, Terminal briefly opens and the malware executes its code. It is unable to do this, however, if you have left Gatekeeper enabled on your Mac, which prevents installs from untrusted developers.
If you don’t have Gatekeeper enabled, OSX/Keydnap installs a backdoor component that is executed after every reboot. It then tricks you into providing it with root access by waiting until you open another app, then presenting a prompt for your login credentials.
Once it has obtained root access, OSX/Keydnap goes after your Keychain and uploads your saved usernames and passwords to a server. If you have also saved credit card details and other information to your Mac, it will upload that, too.
This is a great example of why you shouldn’t disable Gatekeeper. It’s best to just leave it on, then allow individual installs from unknown developers only if you trust them.