Jacob Appelbaum has discovered a new Mac spyware during this year’s Oslo Freedom Forum annual event on May 13-15. While holding a workshop on how to protect devices against government monitoring, Appelbaum discovered a spyware on an African activist’s Mac computer. The spyware, called OSX/KitM.A, is currently being investigated by F-Secure, an anti-virus company (via CNET).
The spyware is in fact a small application called macs.app. It runs each time the current Mac user is logged in. It takes screenshots that it places in a folder in the user’s home directory called MacApp.
What raised concern is that along with taking screenshots, this app tries to upload the images to “securitytable.org” and “docsforum.info” URLs, which apparently are not functional or simply issue a “public access forbidden” message.
An interesting aspect of this spyware is that it is signed with an Apple Developer ID, which usually is designed to prevent malware installation. Unsigned apps are rejected by default by Apple’s Gatekeeper security option.
This bit of malware is somewhat unique in that it is signed with what appears to be a valid Apple Developer ID associated with the name Rajender Kumar. Though not an uncommon name, this may be a reference to the late Bollywood actor of a similar name. Regardless, the use of the ID appears to be an attempt to bypass Apple’s Gatekeeper execution prevention technology.
The origin of the spyware is unknown. F-Secure is investigating it and recommends that you check if you have the macs.app program in the log-in menu, and if so, remove it.