New Mac malware can remotely access FaceTime camera, but macOS Gatekeeper users are protected

Posted:
in macOS edited July 2016
A new piece of Mac-targeting malware is in the wild, potentially allowing hackers to remotely execute code and even control the FaceTime camera on a user's computer, but Apple's own Gatekeeper security prevents the unsigned app from being installed.




The newly unleashed EasyDoc Converter installs a wide array of malware on a victim's computer -- but it isn't signed by Apple, which means the Gatekeeper tool in macOS should adequately protect users with default settings. Researchers at Bitdefender published an analysis detailing the malware package this week, dubbing it "Backdoor.MAC.Eleanor."

The malware is hidden inside a fake file converter application named "EasyDoc Converter.app." Once users install the nonfunctional software, it downloads a malicious script.

Following installation of the app, it will fetch a number of tools that can access the FaceTime camera, download files, execute commands, and even send emails with attached files.

The remote FaceTime camera access is possible through an open-source camera access tool known as "wacaw." The EasyDoc Converter also includes a Tor hidden service, allowing attackers to remotely control the machine.

However, users who have Apple's Gatekeeper security package enabled on their Mac -- as it is by default -- are said to be protected.




Additionally, an Internet connection monitoring application like Little Snitch can be used to monitor and block incoming and outgoing tranmissions. Additionally, utilities similar to Patrick Wardle's BlockBlock can prevent installation of persistent components such as malware. AppleInsider tested an installation of the malware, and as of yet, Apple's integrated Xprotect has not been updated to stop the recently discovered malware.

Today's revelation of the "Backdoor.MAC.Eleanor" malware is the second OS X specific discovery in 2016, not including adware. In March, a bogus version of BitTorrent client Transmission was uploaded to its file repository, and was downloaded by unsuspecting users 6,500 times in its brief availability. It was ultimately stopped by an Xprotect update, and removal instructions were posted by the legitimate Transmission developers.

Regarding the Backdoor.Mac.Eleanor installation, computer forensics expert Jonathan Zdziarski told The Register that the package "could be serious for users who ran the program, but of course the lesson (as always) is to be careful what you install on your computer."

The EasyDoc Converter application was removed from MacUpdate overnight, and was never available on the Mac App Store.

Comments

  • Reply 1 of 15
    zroger73zroger73 Posts: 787member
    An iMac on a desk faces my bed. They'll only access my camera once! :blush: 
    coolfactorlkrupplongpathmacxpresstailpipemagman1979dasanman69lolliverRayz2016
  • Reply 2 of 15
    iqatedoiqatedo Posts: 1,822member
    Is the green camera in use LED hard configured to light up whenever the camera is in use on all systems, as I believe it has been in hardware previously?
  • Reply 3 of 15
    lkrupplkrupp Posts: 10,557member
    But, but, choice.

    Gatekeeper is annoying.

    I own my computer and I don’t want Apple telling me what I can download.

    I’m a geek so I don’t need protection by Apple.

    Did I miss any?
    longpathai46argonautbaconstangmagman1979lolliversteveh
  • Reply 4 of 15
    iqatedoiqatedo Posts: 1,822member
    lkrupp said:
    But, but, choice.

    Gatekeeper is annoying.

    I own my computer and I don’t want Apple telling me what I can download.

    I’m a geek so I don’t need protection by Apple.

    Did I miss any?
    A walled garden can be quite attractive.

    baconstangmagman1979boopthesnootcpsro
  • Reply 5 of 15
    maltzmaltz Posts: 453member
    lkrupp said:
    But, but, choice.

    Gatekeeper is annoying.

    I own my computer and I don’t want Apple telling me what I can download.

    I’m a geek so I don’t need protection by Apple.

    Did I miss any?

    To be fair, those are all fair criticisms of most such software (well, maybe not the last one  lol) so it's not that unreasonable for people who haven't used it to assume that Gatekeeper is just as bad as other such solutions.  Especially if they lived through Vista.  lol  I'm a huge fan of Gatekeeper, though, and leave it on its most restrictive setting.  Then when I install a new app, I have to right-click to open it.  Once.  Then it never bothers me again.  Best of both worlds!
    ai46
  • Reply 6 of 15
    jameskatt2jameskatt2 Posts: 720member
    lkrupp said:
    But, but, choice.

    Gatekeeper is annoying.

    I own my computer and I don’t want Apple telling me what I can download.

    I’m a geek so I don’t need protection by Apple.

    Did I miss any?

    Unprotected sex can lead to AIDS. 


  • Reply 7 of 15
    rwesrwes Posts: 200member
    iqatedo said:
    Is the green camera in use LED hard configured to light up whenever the camera is in use on all systems, as I believe it has been in hardware previously?
    I was curious about this as well. If the light comes on when someone, via the -malware-, is remotely accessing the camera.

    lkrupp said:
    But, but, choice.

    Gatekeeper is annoying.

    I own my computer and I don’t want Apple telling me what I can download.

    I’m a geek so I don’t need protection by Apple.

    Did I miss any?
    Missed your "/s" :D Power (and no headache) to us -geeks- who prefer the iOS and macOS walled gardens. We can geek out without these headaches.
  • Reply 8 of 15
    indyfxindyfx Posts: 321member
    lkrupp said:
    But, but, choice.

    Gatekeeper is annoying.

    I own my computer and I don’t want Apple telling me what I can download.

    I’m a geek so I don’t need protection by Apple.

    Did I miss any?

    Even on the most restrictive setting (app store only) you can right click to specifically allow running of non app store (but recognized developers) apps
    this flags the app as "ok" so it will run in the future without requiring the right click.
    To run un recognized developers apps, right click on the app to attempt to run, which will be refused because of an un-recognized developer, 
    then go to the security and privacy settings (in system prefs) and an option to "run anyway" will be available, click that and the app will run (and be flagged as "ok" for future launches.)
    Setting security to "App Store & identified developers" removes the necessity to first right click on the app to run recognized developers apps

    There is NO functionality restriction to leaving app security on on "Mac App Store", or "App Store & identified developers" 
    nolamacguyfastasleepRosynaboopthesnootpscooter63
  • Reply 9 of 15
    linkmanlinkman Posts: 1,035member
    iqatedo said:
    Is the green camera in use LED hard configured to light up whenever the camera is in use on all systems, as I believe it has been in hardware previously?
    I believe that there is potential hack for some models, but I don't think it ever left the proof of concept stage. If it were possible they should have wired the LED to the power supply for the camera -- unless the LED burns out there's no possibly way to hack it remotely.

    http://www.macrumors.com/2013/12/18/software-allows-hackers-to-activate-macbook-webcams-without-green-warning-light/

    http://www.cultofmac.com/258855/alarming-study-shows-macs-camera-can-secretly-spy/

    Edit: If Charlie Miller says it would require a “lot of work and resources," then it's really tough. As in darn near impossible.
    edited July 2016 iqatedo
  • Reply 10 of 15
    lkrupp said:
    But, but, choice.

    Gatekeeper is annoying.

    I own my computer and I don’t want Apple telling me what I can download.

    I’m a geek so I don’t need protection by Apple.

    Did I miss any?
    1) But, but you do have a choice. Disable Gatekeeper. Done. 2) Gatekeeper is annoying *in your estimation*. 3) You may be a geek (which I believe, judging from your superior tone) but 95+% of Mac users are not. 4) Yes, you forgot something. You forgot to thank Apple for devising a System Preference to keep its non-geek users safe from malware, as well as acknowledging that PCs are rampant with malware and that Macs are not (and then connecting those dots).
    boopthesnoot
  • Reply 11 of 15
    RosynaRosyna Posts: 87member
    iqatedo said:
    Is the green camera in use LED hard configured to light up whenever the camera is in use on all systems, as I believe it has been in hardware previously?
    In order to change the behavior, a malicious app would have to upload new firmware to the camera. That's not really possible from inside the OS anymore and even when it was, it requires root/kernel access.

    This app runs as the local user and never gets access to the privileges needed even on versions of OS X that permitted updating the camera's firmware from inside.
    iqatedopscooter63
  • Reply 12 of 15
    gunner1954gunner1954 Posts: 142member
    iqatedo said:
    Is the green camera in use LED hard configured to light up whenever the camera is in use on all systems, as I believe it has been in hardware previously?
    In 2013, John-Hopkins reported: …the vulnerability … does not work on Macs built after 2008, but it is likely that similar hacks exist for newer machines. 
    Note that 'likely' means that no one has discovered a hack being used against Macs built after 2008, and has not been reported by or to anyone since 2013.
    iqatedo
  • Reply 13 of 15
    mcdavemcdave Posts: 1,927member
    Free apps which aren't posted on the Mac App Store are highly suspicious. The aversion can't be commercial so it has to be technical either illegal frameworks/APIs or malware.
    Rayz2016
  • Reply 14 of 15
    bestkeptsecretbestkeptsecret Posts: 4,265member

    I recently downloaded some trialware on my Mac. The moment I double-clicked on the .dmg, GateKeeper said "uh, uh!" and I moved the .dmg to trash.

    Let OS X do the hard work. Life's too short to worry about malware.

  • Reply 15 of 15
    MarvinMarvin Posts: 15,309moderator
    mcdave said:
    Free apps which aren't posted on the Mac App Store are highly suspicious. The aversion can't be commercial so it has to be technical either illegal frameworks/APIs or malware.
    To go in the App Store or code-sign an app costs $99/year and the store requires complying with Apple's sandboxing. Some free apps make money with the ads displayed on their download page so going in the App Store would mean $99/year loss vs ad-based profit. Apple could have an ad system in their store (maybe it will be part of their search ads) that allows other app publishers to pay for space when people download apps. Apple can share the revenue with the app being downloaded. This would be a way to help smaller developers get more visibility. $5 for 1000 views so 1 million ads costs $5k, an app needs about 20k downloads/day to get into the iOS chart so $100/day can help an app go viral and they can cap the amount so that huge publishers don't saturate the system. There are 30 billion downloads per year, Apple can show 4 apps on each download so 120 billion ads shown, Apple can split the $600m revenue 50/50 with app publishers. A publisher that has 1 million downloads (free or paid) gets 4 impressions x 1 million = 4m x $2.50 / 1000 = $10,000. It's not much but it's better than getting nothing at all. It would be less on the Mac App Store but it would cover the yearly fee.

    The sandbox restrictions can be a problem especially for cross-platform apps as they have to restrict the app to the sandboxed filesystem containers and the developers are also identified with code-signing, some developers wouldn't want that.

    https://bombich.com/kb/ccc4/why-isnt-ccc-on-mac-app-store

    Apple should be locking down sensitive folders like LaunchAgents and LaunchDaemons, this was used by the Mac Defender and Flashback malware too. Legitimate apps hardly ever use this functionality. It looks like they locked down dynamic library overrides with SIP in El Capitan. As soon as apps try to modify anything sensitive, the system should prompt the user about what it's doing. If it's leaving invisible folders around or dumping executables outside the Applications folder, at least let the user know what the app is doing. Apple can also keep an approved list of binaries and settings that are known from trusted publishers or known to be harmless and the system can check against this list regularly and have a system panel that shows warnings about unapproved settings that may be harmful. Having descriptions of processes and configurations would be nice too, Apple sometimes uses abbreviated names for system daemons and it's hard to tell if they are legitimate like secd, pbs, pkd, tccd. System processes approved or developed by Apple should be labelled in Activity Monitor and Get Info panels so it's easy to spot rogue processes.
    edited July 2016
Sign In or Register to comment.