‘Fruitfly’ Malware for macOS Variant Still Infecting Computers

A mysterious piece of malware has been infecting hundreds of Mac computers for years — and no one noticed until a few months ago.

A piece of Mac malware, called Fruitfly, was first discovered and patched by Apple back in January 2017, says Synack security researcher Patrick Wardle, who spoke to Ars Technica ahead of a talk at the Defcon hacker conference on Wednesday.

Prior to the January revelation of Fruitfly’s existence, the malware had apparently existed undetected in the wild for several years “because current Mac security software is often rather ineffective,” Wardle explained.

Now, variants of the malware have since emerged. The core of the malware is an obfuscated perl script using antiquated code, with indicators in the code that suggest the malware may go back almost half a decade or more, Wardle said.

Nevertheless, the malware still works well on modern versions of macOS, including Yosemite. Fruitfly 2 connects and communicates with a command and control server, where an attacker can remotely spy on and control an infected Mac.

Furthermore, Wardle discovered that Fruitfly 2 can basically take over an infected system, which includes controlling the keyboard and mouse, take screenshots, run background processes, discreetly turn on the webcam, as well as modify and steal files. In order to remain undetected, it can even terminate its own process in the system.

What’s even more puzzling is that the Mac malware can also run on Linux devices. In spite of its scary capabilities, Fruitfly 2 isn’t a sophisticated piece of software and it can be easily detected as an anomalous process running on Macs. Updating macOS to the latest version should fix the problem, in case your device is infected.

Wardle is going to talk about FruitFly 2 at the upcoming Black Hat and Def Con conferences in Las Vegas this week.