Old Mac malware can take over your webcam, capture keystrokes

Old Mac malware can take over your webcam, capture keystrokes


dead MacBook hack
Are you protecting your Mac yet?
Photo: Ste Smith/Cult of Mac

Security researchers have discovered a mysterious strain of malware that allows hackers to take over the webcam, keyboard, and other resources on your Mac.

The malware is believed to be at least five years old, but it has gone unnoticed until now.

As the macOS user base continues to rise, the number of malware attacks follows. McAfee Labs’ latest Threat Report revealed that new Mac malware grew a whopping 53 percent in early 2017, taking the total number of detected viruses to 250,000 this year alone.

But the latest find isn’t new at all. Dubbed Perverse, it is a variant of the Fruitfly program that surfaced back in January, and it could be a decade old. It is believed that the number of different strains exceeds 400 — and could be much higher.

Like Fruitfly, Perverse is able to take control of an infected Mac’s webcam, capture screenshots, record keystrokes, and steal other information. It also has the ability to collect data from other devices connected to the same network.

Apple has updated macOS to detect Fruitfly, but Perverse has gone unnoticed by its software and third-party antivirus programs.

Patrick Wardle, who has been investigating the malware for security firm Synack, was able to decrypt some of the domains coded into it. Surprisingly, some were available for the taking, so he registered one of them.

“Within two days of registering one of the addresses, close to 400 infected Macs connected to the server, mostly from homes located in the United States,” reports Ars Technica.

“Although Wardle did nothing more than observe the IP address and user names of Macs that connected to his server, he had the ability to use the malware to spy on the users who were unwittingly infected.”

It’s not completely clear how Perverse makes its way onto Macs, but it is believed that it involves fooling users into clicking malicious links — either in emails or on the web — as opposed to exploiting vulnerabilities in Apple’s software.

But the reason why remains a mystery. There’s no evidence to suggest that Perverse can collect banking details or install other ransomware, so its purpose is unclear. However, it’s possible it was designed to just steal login information.

Fortunately, the primary control server for the malware was shutdown long ago, but affected Macs remain infected. That means anyone who knows the domains it talks to can register one again and continue using the software for malicious purposes.

It’s another reminder that Macs aren’t immune to viruses as many believe. If you’re not careful, you can be at risk of attack, and a good antivirus program could well be worth its price tag.

“A lot of Mac users are overconfident in the security of their Mac,” Wardle said. This discovery “just goes to reiterate to everyday users that there are perhaps people out there trying to hack their computers.”


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.