Mac users typically think they’re immune to malware. But a new strain used for spying reminds us even Macs can be compromised.
Researchers have found an unusual piece of malware, called FruitFly, that’s been infecting some Mac computers for years.
FruitFly operates quietly in the background, spies on users through the computer’s camera, captures images of what’s displayed on the screen and logs key strokes.
Security firm Malwarebytes discovered the first strain earlier this year, but a second version called FruitFly 2 subsequently appeared.
Patrick Wardle, chief security researcher at security firm Synack, found 400 computers infected with the newer strain and believes there’s likely many more cases out there.
It’s unclear how long FruitFly has been infecting computers, but researchers found the code was modified to work on the Mac Yosemite operating system, which was released in October 2014. This suggests the malware existed before that time.
It’s unknown who is behind it or how it got on computers.
Thomas Reed of Malwarebytes called the first version “unlike anything I’ve seen before.”
Wardle says there are multiple strains of FruitFly. The malware has the same spying techniques, but the code is different on each strain.
After months of analyzing the new strain, Wardle decrypted parts of the code and set up a server to intercept traffic from infected computers.
“Immediately, tons of victims that had been infected with this malware started connecting to me,” said Wardle, adding he could see about 400 infected computer names and IP addresses.
He believes this reflects only a small subset of infected users.
The discovery of FruitFly reminds users that although Mac malware is considerably less widespread than Windows, it still exists.
“Mac users are over-confident,” Wardle said. “We might not be as careful as we should be on the internet or opening up email attachments.”
Apple did not respond to a request for comment.
Mac malware has increased in recent years. According to a report from McAfee, Mac malware skyrocketed in 2016, but most of it was adware — or malicious advertising — as opposed to targeted spy campaigns.
Wardle said FruitFly is completely new for Macs. He alerted national law enforcement to the malware. The FBI said it does not confirm or deny the existence of investigations.
It’s unclear how it got on machines and if it targeted individuals randomly or directly.
Wardle, a former NSA analyst, ruled out the possibility of a nationstate hacker who targets users to intercept data for cyberespionage. He also doesn’t believe it’s a criminal using people’s data to make money.
“I believe its goals were a lot more insidious and sick: spying on people,” Wardle said.