Ondrej Holzman Mac computers are being attacked by new malware that takes screenshots without the user's knowledge and then uploads files to dubious servers. The virus hides under the application macs.app. For now, however, it is not very widespread.
A new type of threat to Apple computer users was found on the Mac of one of the participants of the Oslo Freedom Forum, an international conference on human rights organized annually in Oslo by the Human Rights Foundation.
Once you install macs.app, the app runs in the background and takes screenshots silently. Each captured image is stored in a folder Mac App in your home directory from where the files are uploaded to securitytable.org a docsforum.inf. Neither domain is available.
[do action=”tip”]Check your home directory for a folder Mac App (see picture).[/do]
Macs.app can work on your Mac because, unlike other malware, it has a working Apple Developer ID assigned to it, which means it gets past Gatekeeper protection. The identification number belongs to a certain Rajender Kumar, and Apple has the option of freezing his rights, which would probably also make the virus impossible to function. So we can expect an early intervention from the Californian company.
It is good to know. But why on earth would I install it (is it an .app or an installation package)?
F-secure is currently investigating the malware to better determine its origin, modes of installation, and how it runs.
I haven't found out in what form it is downloaded exactly, but when you have it on your computer, it starts automatically when you start your computer. However, I don't see if it needs to be installed.
Logically, the user has to run it, the only question is whether it is "packaged" with some application, whether legal or cracked, or if an email like "Nude pictures of , run me now" arrives and the user starts it.
Since it looks primitive (it can be written in AppleScript very easily) and since it writes to the user's folder, it shouldn't even need an admin password, but I'm just judging from the image and the information in the article, it might be different :)
If it starts after startup, then I would say that it has to finish the installation (even the daemon or the application itself). Anyway, as DJManas writes, it writes it to the user's folder precisely so that there is no need for a password. I don't understand why it writes it in "MacApp" and not ".MacApp" - that way no one who doesn't have hidden files visible (so 90% of people) would notice.
What I see as a bigger problem is that someone used their own Developer ID to get past GateKeeper - here Apple has to react very quickly and ban these individuals forever. Maybe I could see it on some "report as spam/virus" function, hidden somewhere deep, so that Apple should start dealing with it immediately whenever it receives more than 1 such notification about the application.
I confess that I don't have my official developer ID, but I think that it is enough to set up an email, pay for a membership, even for 900,- a year, and the user is "live" and can play (if he doesn't put it directly in the AppStore), which can bring satisfaction, but I don't know exactly how it works, someone please correct me.
On the other hand, users may have GateKeeper turned off because they install things from the Web, and I'll admit that I turned it off too, because it wouldn't let me install an app I normally use, I guess it was OnyX back then (freshly installed 10.8) and it didn't detect I wonder if they are already official developers and I can turn it on…
I also disabled it for my wife as I developed a couple of "apps/scripts/widgets" that only she and I use and she wouldn't let me install it on her OSX…
I recommend turning on Gatekeeper and if you want to install an application that is not signed, just right-click on the package/app and click Open. There is then a possibility to bypass the Gatekeeper for this case. I do it myself and it seems safer to me - I can also install unsigned applications, but Gatekeeper keeps an eye on everything else.
Thank you, I didn't know this