New Mac spyware signed with legitimate Apple Developer ID

A new piece of malware designed to spy on Mac users has been unearthed by security researcher and hacker Jacob Appelbaum at the Oslo Freedom Conference held this week in Norway.

The malware was discovered on an African human rights activist’s Mac who participated in a workshop dedicated to teaching activists how to secure their devices against government and any other kind of snooping.

“The Angolan activist was pwned via a spear phishing attack – I have the original emails, the original payload and an updated payload,” Applebaum explained in a tweet.

The worst thing is that the malware wasn’t, at the time, detected as such by any security software, and neither were the URLs serving it.

In fact, the backdoor was signed with a legitimate Apple Developer ID associated with a developer by the name of Rajinder Kumar, and thus was able to bypass Apple’s Gatekeeper.

The malware starts working every time the computer is restarted, and it takes screenshots in regular intervals and uploads them to two C&C servers – one of which is currently unavailable, and the other impossible to access without permission.

Since the discovery of the malware, Apple has revoked the aforementioned developer’s ID, and another researcher has discovered another sample in the wild.

The good news is that the malware can easily be removed from the infected computer by deleting macs.app from the applications folder and log-in queue.

UPDATE: According to the folks at F-Secure, the malware is connected with the large cyber espionage campaign originating from India.

More about

Don't miss