The latest item of Mac malware to be uncovered is actually not new at all; in fact, it may have been around for several years. Dubbed “Fruitfly” by Apple, this malware has some novel features. In particular, its function depends upon using both an outdated library from the late 90s, libjpeg, as well as pre-OS X system calls. Why the malware was designed to use outdated methods is unknown, but in the wake of the malware’s discovery, Apple promptly issued an update to XProtect to reduce the threat to users. What is Fruitfly capable of doing on an infected system?
Fruitfly’s most basic functions involved using the aforementioned system calls to access your Mac’s webcam or capture images of your current screen. It also connects to the Internet to phone home to its command and control server. After connecting, the malware may receive commands or download scripts to gain deeper system control. In some cases, this is a script to discovery local network devices. In other cases, the malware receives information about the mouse cursor’s positioning, begins inputting clicks, or simulates keystrokes. In other words, it can essentially hijack a Mac to spy on a user or snoop through files, although the methods observed so far are rudimentary at best.
The Malwarebytes security research team also uncovered evidence of Linux shell commands during their investigation into Fruitfly. After confirming successful functionality on a Linux machine, it seems likely this malware may have been developed to target multiple platforms. What isn’t known is how Fruitfly spreads from one computer to another. It relies on a well-known technique, easily detected by scanners, to execute itself and has only appeared on small research networks so far. As a result, many questions about its purpose and origin remain.
To further help Mac owners guard against Fruitfly and ensure it isn’t present on their system, MacScan 3’s malware definitions have received an update. It can now detect and remove this threat. Download a free 30-day trial version of MacScan 3, available directly on www.securemac.com/macscan.