Spyware 'Signed' by Apple Found on Activist's Mac Laptop
The new MacBook Pro.
A unique piece of Mac OS X malware, designed to evade Apple's Gatekeeper anti-malware application, was discovered this week on the laptop of an Angolan human-rights activist at the Oslo Freedom Forum in Norway.
The malware, discovered Tuesday (May 14) by American security researcher and digital-rights activist Jacob Appelbaum, was found buried among normal programs.
The malware was written to activate each time the Mac was booted up and, more importantly, was signed with a real Apple developer ID. That means it would evade even the strongest settings on Mac OS X's built-in Gatekeeper app-screening software.
"The Angolan activist was pwned via a spear phishing attack," Appelbaum wrote on Twitter. "I have the original emails, the original payload and an updated payload."
Appelbaum gave samples of the malware to Finnish security firm F-Secure for analysis.
In a subsequent blog posting, F-Secure's Sean Sullivan said the clandestine program, called "macs.app," secretly took screenshots and sent them over the Internet to two command-and-control servers in France and the Netherlands.
Appelbaum didn't name the person upon whose laptop the malware was found, but said he feared the person's life may be in danger.
An Angolan journalist, civil-rights activist and opponent of the current Angolan government was a featured speaker at the conference.
Since its discovery, the malware has been found on at least one other system, but experts don't believe the attack to be widespread.
The Oslo Freedom Forum bills itself as an event dedicated to "exploring how best to challenge authoritarianism and promote free and open societies" and is attended by human-rights activists from around the world.
Apple has since revoked the developer ID in question, Appelbaum said on Twitter yesterday (May 16).
Infected users can remove the offending program themselves with a signature file included in F-Secure's security program, or by simply deleting it from their Mac's startup applications list, found in Users & Groups in System Preferences.