Pierluigi Paganini October 06, 2016

Mac malware could spy on users by piggybacking on webcam sessions started by legitimate applications such as FaceTime, Skype and Google Hangouts.

Security experts are worried about the presence of a new Mac malware in the wild that attempt to record video via the built-in webcam. The principal problem for this family of spyware is that they are not able to turn on the camera’s LED, a circumstance that can alert the victim.

Back in 2013 a group of experts at the USENIX conference demonstrared how to disable the MacBook Webcam indicator LED without admin privileges or physical access. The technique was successfully tested on some older iMacs and MacBooks, but the new malware represents a novelty in the actual threat landscape.

This new Mac malware leverages on a different mechanism to hide its activity, it is able to silently spy on users by piggybacking on webcam sessions started by legitimate applications such as Skype, Google Hangouts, and FaceTime.

According to Patrick Wardle who developed the malware, former NSA expert and director of research at Synack, when one of the above applications enables the built-in webcam, users are not suspicious the LED lights, although someone is spying on them.

Wardle has developed its malicious code to monitor the system for legitimate user-initiated video sessions during which they secretly record the victim, and he has done it without root privileges.

Wardle has developed a proof-of-concept Mac malware that can exploit the built-in camera and monitor its status in an effort to spy on victims when it is turned on.

The malware uses the same session during which the LED is on to record both video and audio from the webcam.

The Wardle technique was not used by Mac malware in the wild, but it is not difficult to predict a rapid implementation by VXers.

Wardle also devised a tool, dubbed OverSight, to detect such kind of attacks. The OverSight monitors the microphone and webcam usage via user-mode APIs while running in the background.

When the microphone became active OverSight shows the message “Audio Device became active,” while when the camera is turned on id displays users the message “Video Device became active” notifying also the name of the process that wants to access the device. The user can then decide to allow or block the action.

The experts Wardle is well known to IT security industry, in April he developed RansomWhere, a free ransomware detection tool for the protection of Mac OS X systems.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Mac malware, spyware)