New Mac spyware signed with legitimate Apple Developer ID
Posted on 17.05.2013
A new piece of malware designed to spy on Mac users has been unearthed by security researcher and hacker Jacob Appelbaum at the Oslo Freedom Conference held this week in Norway.

The malware was discovered on an African human rights activist's Mac who participated in a workshop dedicated to teaching activists how to secure their devices against government and any other kind of snooping.

"The Angolan activist was pwned via a spear phishing attack Ė I have the original emails, the original payload and an updated payload," Applebaum explained in a tweet.

The worst thing is that the malware wasn't, at the time, detected as such by any security software, and neither were the URLs serving it.

In fact, the backdoor was signed with a legitimate Apple Developer ID associated with a developer by the name of Rajinder Kumar, and thus was able to bypass Apple's Gatekeeper.

The malware starts working every time the computer is restarted, and it takes screenshots in regular intervals and uploads them to two C&C servers - one of which is currently unavailable, and the other impossible to access without permission.

Since the discovery of the malware, Apple has revoked the aforementioned developer's ID, and another researcher has discovered another sample in the wild.

The good news is that the malware can easily be removed from the infected computer by deleting from the applications folder and log-in queue.

UPDATE: According to the folks at F-Secure, the malware is connected with the large cyber espionage campaign originating from India.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th