Many Mac users operate under the assumption that they are impervious to viruses and malware, but as we are finding more and more these days, that’s not strictly true. A new piece of malware has recently been found that appears to take screenshots of a user’s desktop which are then saved to a folder in the user’s Home directory.
The malware masquerades as an app called macs.app which starts each time the Mac boots up. It then appears to take screenshots and save them to a folder called MacApp.
According to the security researcher that found the malware, the malware is associated to two command and control servers. Both securitytable.org and docsforum.info appear to related to macs.app, though one is offline and the other offers a ‘public access forbidden’ message when accessed. It’s not yet known where the malware originated, but interestingly it is signed by a registered Mac developer going by the name of Rajendar Kumar.
Apple’s app signing process is supposed to prevent situations like this, though it’s obviously doubtful that this developer is legit. The name is similar to a famous Bollywood actor that recently passed away, prompting suggestions that the name of the developer may be a reference to the late actor.
This bit of malware is somewhat unique in that it is signed with what appears to be a valid Apple Developer ID associated with the name Rajender Kumar. Though not an uncommon name, this may be a reference to the late Bollywood actor of a similar name. Regardless, the use of the ID appears to be an attempt to bypass Apple’s Gatekeeper execution prevention technology.
Currently, it is being investigated where the malware originated and although it does not appear to be widespread at this point, people are reminded that removing the app from the list of startup items all but removes the risk posed by macs.app.
Apple can be either particularly quick, or particularly slow when offering up security fixes, so we’ll just have to wait and see which it is this time around. The seemingly small nature of the attacks caused by this malware may see Apple put it on the back burner so close to WWDC. Whether it should do such a thing or not is entirely debatable.