A nearly undetectable form of malware, dubbed “Fruitfly,” has recently been discovered to be active on Mac computers.
While new details come to light on the threat, let’s take a look into some ways Mac users could be affected by it.
A Surveillance Malware
The malware was first noticed in January this year.
Security experts at Malwarebytes, a company that develops anti-malware programs, explained how Fruitfly works in a blog post.
The malware accesses files on the affected Mac computer to give the responsible hacker complete control over the device’s keyboard or mouse.
It is a kind of surveillance malware for executing shell commands.
It can move or click a mouse and cursor, capture webcams, kill a process, grab the uptime of your system, retrieve a screen capture and alert the hacker when users are active.
The blog post explained that this malware could have been present since the time Yosemite OS was launched for the Mac in 2014 and has remained undetected all this time.
The first variant of the Fruitfly malware was a basic one, containing only a secret file with a launching agent to infect Macs.
However, now some new and more sophisticated variants have appeared.
They have also begun to infect many Mac computers.
It is a harmful malware, as the Mac OS was not able to detect it all this time.
Earlier this year, Apple released a security patch to protect users from the Fruitfly malware.
However, due to the emergence of variants, this is not very effective.
How it Works
The malware consists of a core with a perl script that makes use of antiquated codes.
It works effectively even on the latest versions of the Mac OS.
It communicates with a server for commands and controls, so that attackers can spy on an infected computer from the outside.
Though it is not a very sophisticated malware, it is complete in its features.
Features of the Malware
Given the seriousness of the malware, former National Security Agency hacker Patrick Wardle began to work on analyzing the malware.
He states that the malware is capable of taking complete control of the Mac, running commands in the background.
It is even capable of killing the entire process of the malware in order to avoid being detected.
One of the most interesting features of Fruitfly, according to Wardle, is that the malware is capable of sending alerts even when Mac owners are using their computer.
This alerts the hacker so they can refrain from attacking the computer at that time—thus, remaining hidden.
There are also some additional commands that offer more options to the malware.
It can take screenshots of different quality, which can be useful when trying to avoid detection by a network or for a low bandwidth connection.
Who is Behind the Malware?
Based on Wardle’s tests, it seems that a single nation state hacker is running the Fruitfly malware.
The objective is probably to spy on users, and is based on perversions.
It cannot be specified as to the exact number of devices that have been infected by this malware.
However, it can be safely stated that the infection is not as widespread as some other recent malware.
Wardle has access to only some of the servers that were used for controlling Fruitfly.
Delivery of Infection
Wardle was not able to ascertain how the malware is actually delivered to the affected machines.
However, he suggests that it is possible that the malware enters a Mac through malicious email attachments.
It is also possible that Fruitfly can infect a Mac computer via infected websites or applications.
It could deliver infections from such sites and apps, or through phishing emails as well.
Wardle recommends some Mac tools that can be freely downloaded in order to protect users from such attacks.
He has developed Oversight, one such free tool that offers notifications to users when the webcam or microphone on their device is active.
This offers protection against one of the features of the Fruitfly malware.
The recent Fruitfly malware just goes to prove that Macs are just as vulnerable to attacks as other operating systems.
Apple has not yet responded to requests for a comment on this new malware variant.