We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

New Mac spyware found on Angolan activist's computer

The malware is digitally signed with a valid Apple Developer ID, security researchers say

Previously unknown Mac OS X spyware, signed with a valid Apple Developer ID, has turned up on the laptop of an activist from Angola at a human rights conference in Norway.

Security researcher and privacy activist Jacob Appelbaum found the spyware on the activist's Mac at the Oslo Freedom Forum earlier this week.

The activist's computer was compromised as a result of a spear phishing attack, Appelbaum said Thursday on Twitter. The researcher claims that he has copies of the attack emails and two different malware samples.

Security researchers from Finnish antivirus firm F-Secure analyzed one of the malware samples and concluded that it is a previously unknown Mac backdoor program which appears to be signed with a valid Apple Developer ID.

Apple's Developer ID program allows developers to sign their Mac applications with trusted digital certificates issued by Apple so they don't get flagged as malware by the Gatekeeper feature in Mac OS X Mountain Lion.

"Signing your applications, plug-ins, and installer packages with a Developer ID certificate lets Gatekeeper verify that they are not known malware and have not been tampered with," Apple says on its developer website.

The malware, which F-Secure now detects as OSX/KitM.A, takes screen shots without authorization and saves them in a folder for later uploading to remote servers. The malware contacts two command-and-control domains hosted on servers in the Netherlands, according to F-Secure's analysis.

Antivirus firm Symantec has also added detection routines for the new threat, which it calls OSX.Kitmos. In addition to taking screen shots, this Trojan program can download and install other malware and steal information, the company said in a technical document on its website.

The malware can execute commands on behalf of attackers, can upload files from the compromised computer and can manipulate the network activity indicator in order to hide its presence, Symantec said.

Answering a question on Twitter on whether he plans to make copies of the spear phishing emails public, Applebaum said that he's likely to write a blog post about it, but after first talking with the victim about some of the details since their life might be in danger.


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

Artist creates a geometric rave in a chapel for The House of St Barnabus

IDG UK Sites

Mac mini (Late 2014) 1.4 GHz review: Mac mini is sort of upgradable, but is it any good as it is?