‘Fruitfly’ Malware for macOS Variant Still Infecting Computers

A mysterious piece of malware has been infecting hundreds of Mac computers for years — and no one noticed until a few months ago.

A piece of Mac malware, called Fruitfly, was first discovered and patched by Apple back in January 2017, says Synack security researcher Patrick Wardle, who spoke to Ars Technica ahead of a talk at the Defcon hacker conference on Wednesday.

Prior to the January revelation of Fruitfly’s existence, the malware had apparently existed undetected in the wild for several years “because current Mac security software is often rather ineffective,” Wardle explained.

Now, variants of the malware have since emerged. The core of the malware is an obfuscated perl script using antiquated code, with indicators in the code that suggest the malware may go back almost half a decade or more, Wardle said.

Nevertheless, the malware still works well on modern versions of macOS, including Yosemite. Fruitfly 2 connects and communicates with a command and control server, where an attacker can remotely spy on and control an infected Mac.

Furthermore, Wardle discovered that Fruitfly 2 can basically take over an infected system, which includes controlling the keyboard and mouse, take screenshots, run background processes, discreetly turn on the webcam, as well as modify and steal files. In order to remain undetected, it can even terminate its own process in the system.

What’s even more puzzling is that the Mac malware can also run on Linux devices. In spite of its scary capabilities, Fruitfly 2 isn’t a sophisticated piece of software and it can be easily detected as an anomalous process running on Macs. Updating macOS to the latest version should fix the problem, in case your device is infected.

Wardle is going to talk about FruitFly 2 at the upcoming Black Hat and Def Con conferences in Las Vegas this week.

World-traveling, tech-savvy, music-producing writer obsessed with all things Apple, video games, and the finer things in life, e.g. mezcal and tacos. When I'm not writing I'm exploring new places, eating new foods, and generally trying to be a decent human.

  • awkpain

    Obligatory: Nono. No. Macs cannot get viruses.

  • Chrome262

    they are rare on Macs and Linux machines, only because hackers use those machines and do not want to crap where they eat.

  • I’m curious as to how it installs/spreads. Does it require a system password from the user, or can it somehow install itself?

  • So Young

    hahaha, good one!

  • Chrome262

    Its true, most of the CS and higher order computational work done here in research is with these OS, on the front end. People still code in unix and linux terminal. And the few people who i know who find security holes it stuff do it on their mac.and or linux machines. Hell some have both on one computer. And most wouldn’t be caught dead on a windows machine.

  • awkpain

    So many myths in one post. Rather than kill them all I’ll just say… no self respecting hacker owns a Mac without reason and therefore has nothing to test their attack against. Macs are more expensive, the hardware is perpetually a generation or more behind, and the list of software you can use is very limited, Macs are still harder to virtualize because of a specific hardware requirement. Very few would bother compiling a win32 on a linux machine. None would use UNIX because it’s dead. They would use a distribution of Linux instead.

  • Chrome262

    unix is alive and well. Not sure what you do, but it’s on all the macs that we used to code for our clusters.

  • awkpain

    Unix is dead. Are you perhaps referring to a version of BSD like macOS itself?

  • Chrome262

    Yes, it’s not really dead when it’s kind of evolved. Or I guess I should say decendance is the right term?