‘FruitFly’ Malware Spies on Users of Infected Mac Computers

Law enforcement officials are investigating what appears to be a malware outbreak specifically targeting Mac users, which has thus far infected an unknown number of Macs owned by individuals and educational institutions in the United States, according to a report published Monday by Forbes. While it’s unclear exactly how the malicious code ultimately made its way onto the infected machines, or whether its intentions are perverse or government-related in nature, one cybersecurity expert is cautioning that the outbreak (dubbed ‘FruitFly’) could prove to be more far-reaching than initially thought.

Those sentiments were delivered by Patrick Wardle, a former NSA analyst who’s now a cybersecurity research partner with Synack. Wardle alleges that he’s seen “about 400 individual cases” of the ‘FruitFly’ malware so far; however, citing his limited access to “a handful of servers” upon which the malicious code is being hosted, he conceded that there could be many more cases. Wardle says he was able to identify the +/-400 victims of FruitFly when he accessed one of server domains that hackers were allegedly planning to use as a backup when primary host servers were offline.

Wardle explained to Forbes that he was then able to identify the IP addresses of primarily (90%) U.S.-based victims, as well as the names of those victims’ Mac computers, which he says made it “really easy to pretty accurately say who is getting infected.” Once the scope of the situation became clear, Wardle says he passed the information along to the appropriate law enforcement authorities; and he plans to present his findings later on this week at the 20th annual Black Hat information security conference in Las Vegas.

What Is FruitFly?

The primary intent of FruitFly appears to be surveilling and spying on its victims by recording their actions or capturing screenshots through their Mac’s FaceTime web camera. Wardle believes the malware was created “with the goal to spy on people for perverse reasons.” While it sounds startling, to be sure, Wardle believes that this particular outbreak doesn’t allude to behavior indicating it’s a cybercrime — particularly because there was no presence of “ads, keyloggers, or ransomware” hidden within the code. But rather, “Its features had looked like they were actions that would support interactivity: it had the ability to alert the attacker when users were active on the computer, it could simulate mouse clicks and keyboard events.”

Citing comments discovered in the malware’s code that referenced updates for Mac OS X Yosemite (released back in 2014), Wardle believes that the present outbreak of FruitFly may be a variant of an older Apple spy tool, which suggests that the malware could have been present even before then. He admitted, however, that without sufficient insight into the behavior of other servers (which could also be host to the malicious code), it’s difficult to determine the broader scope of the outbreak.

Whether Apple knows about the issue or not remains unclear, however when reached for comment by Forbes the company did not respond.

How to Protect Yourself

While FruitFly’s creators and their motivations remain unknown, it appears to Wardle (at least on the surface) that the hackers simply want to spy on “random individuals” through their web cameras. And so, we highly recommend either adding a cover to your Mac’s FaceTime camera, and/or manually disabling the camera altogether.