This Mac Malware Can Take Screenshots of Your Computer

Written by Jake Peterson From LifeHacker
Original Article: https://lifehacker.com/tech/mac-malware-can-take-screenshots-of-your-computer

Apple used to tout the fact that Macs didn’t get viruses, and while Apple definitely has good anti-malware software, their machines are far from impervious to infection. And with Macs more popular than ever, there exists even more potential malware out there, ready to steal your data and ruin your day. The latest can even take screenshots of what’s on your Mac’s monitor without your knowledge.

Researchers from Kandji have discovered the threat targeting Macs, and it’s not great news. Kandji reports this new malware, which they’ve named "Cuckoo," is a mix between spyware and an infostealer. They discovered it in apps hosted by a site called "DumpMedia," which purported to convert songs on streaming services into MP3s.

When researchers downloaded one of these apps, they noticed the DMG, which allows you to install the app on your Mac, had different installation instructions than most DMGs: Rather than dragging the app to your Applications folder, this DMG instructed users to right click on the app and choose "Open." Unbeknownst to many users, this action bypasses some of the security features that serve as the first lines of defense for newly installed apps downloaded from the web.

Rather than follow these suspicious instructions, researchers choose "Show Package Contents" so they could see what the app was hiding. While they did find a legitimate-looking "DumpMedia Spotify Music Converter" bundle, they also found a suspicious executable file that had no developer ID. That would normally trip Apple’s Gatekeeper program to block the app from opening—hence why the malicious developers prompted potential victims to unwittingly bypass these protections.

Researchers then tested the software by opening it, and found it immediately started gathering information about the machine and running a long list of processes. Interestingly, the program will not continue if it detects the computer is based in Armenia, Belarus, Kazakhstan, Russia, or Ukraine. After more processes, it sneakily asks for your password with a "macOS needs to access System Settings" prompt. Once you enter it, the programs saves your password. It then checks to make sure the password is correct.

From here, the program asks for permission to access Finder, Downloads, and your microphone, then continues to scrape details about your Mac’s hardware, before scraping files from Safari (including bookmarks, cookies, and history), Notes, and Keychain (which contains your passwords). As if that weren’t invasive enough, the malware then initiates the screenshot function, even muting your speakers whenever it takes a screenshot so you don’t hear the sound and realize what’s happening.

All the while, there is an actual program running as advertised, keeping the victim in the dark about all the nefarious processing churning away in the background. According to researchers, DumpMedia is just one site hosting these malicious apps. Others, such as TuneSolo, FoneDog, TunesFun, and TuneFab, all host similar streaming-converter apps, as well as Android recovery tools that feature the same malware.

How to protect your Mac from this and other malware

This story serves as a good reminder to be careful when downloading apps directly from the web onto your devices, whether that’s a Mac, PC, Android, or an iOS device (in the E.U., anyway). While there are plenty of legitimate apps on the internet (as opposed to in an app store like Google Play or the iOS App Store), there are many that are not, so it’s important to vet each program before downloading it.

Research the app, and see if others have had positive experiences with both it and its host site. Speaking of which, it’s safest to download apps from the developer itself: If DumpMedia is hosting a third-party app, for example, that’s riskier than if the app’s developer offers it directly.

In addition, never skirt your Mac’s built-in malware defenses. You might not have known that right-clicking on an app and opening rather than dragging it to the Applications folder bypasses Gatekeeper, but it does. If you follow the normal process and macOS says there’s a problem with the app, believe it. Download your apps from the official Apple App Store when you can, and when you can’t, exercise extra caution.

Share this post: