New Mac spyware signed with legitimate Apple Developer ID
Posted on 17.05.2013
A new piece of malware designed to spy on Mac users has been unearthed by security researcher and hacker Jacob Appelbaum at the Oslo Freedom Conference held this week in Norway.

The malware was discovered on an African human rights activist's Mac who participated in a workshop dedicated to teaching activists how to secure their devices against government and any other kind of snooping.

"The Angolan activist was pwned via a spear phishing attack – I have the original emails, the original payload and an updated payload," Applebaum explained in a tweet.

The worst thing is that the malware wasn't, at the time, detected as such by any security software, and neither were the URLs serving it.

In fact, the backdoor was signed with a legitimate Apple Developer ID associated with a developer by the name of Rajinder Kumar, and thus was able to bypass Apple's Gatekeeper.

The malware starts working every time the computer is restarted, and it takes screenshots in regular intervals and uploads them to two C&C servers - one of which is currently unavailable, and the other impossible to access without permission.

Since the discovery of the malware, Apple has revoked the aforementioned developer's ID, and another researcher has discovered another sample in the wild.

The good news is that the malware can easily be removed from the infected computer by deleting from the applications folder and log-in queue.

UPDATE: According to the folks at F-Secure, the malware is connected with the large cyber espionage campaign originating from India.


Pen-testing drone searches for unsecured devices

You're sitting in an office, and you send a print job to the main office printer. You see or hear a drone flying outside your window. Next thing you know, the printer buzzes to life and, after spitting out your print job, it continues to work and presents you with more filled pages than you expected.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Oct 9th