New Mac spyware found on Angolan activist's computer

The malware is digitally signed with a valid Apple Developer ID, security researchers say

Previously unknown Mac OS X spyware, signed with a valid Apple Developer ID, has turned up on the laptop of an activist from Angola at a human rights conference in Norway.

Security researcher and privacy activist Jacob Appelbaum found the spyware on the activist's Mac at the Oslo Freedom Forum earlier this week.

The activist's computer was compromised as a result of a spear phishing attack, Appelbaum said Thursday on Twitter. The researcher claims that he has copies of the attack emails and two different malware samples.

Security researchers from Finnish antivirus firm F-Secure analyzed one of the malware samples and concluded that it is a previously unknown Mac backdoor program which appears to be signed with a valid Apple Developer ID.

Apple's Developer ID program allows developers to sign their Mac applications with trusted digital certificates issued by Apple so they don't get flagged as malware by the Gatekeeper feature in Mac OS X Mountain Lion.

"Signing your applications, plug-ins, and installer packages with a Developer ID certificate lets Gatekeeper verify that they are not known malware and have not been tampered with," Apple says on its developer website.

The malware, which F-Secure now detects as OSX/KitM.A, takes screen shots without authorization and saves them in a folder for later uploading to remote servers. The malware contacts two command-and-control domains hosted on servers in the Netherlands, according to F-Secure's analysis.

Antivirus firm Symantec has also added detection routines for the new threat, which it calls OSX.Kitmos. In addition to taking screen shots, this Trojan program can download and install other malware and steal information, the company said in a technical document on its website.

The malware can execute commands on behalf of attackers, can upload files from the compromised computer and can manipulate the network activity indicator in order to hide its presence, Symantec said.

Answering a question on Twitter on whether he plans to make copies of the spear phishing emails public, Applebaum said that he's likely to write a blog post about it, but after first talking with the victim about some of the details since their life might be in danger.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Topics: Apple, symantec, Mac OS, security, software, f-secure, operating systems, spyware, malware
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?