Security Experts:

Mac Malware Can Abuse Legitimate Apps to Spy on Users

OS X Malware Can Silently Record Video by Piggybacking on Webcam Streams

Mac malware could silently spy on users by piggybacking on webcam sessions initiated by legitimate applications such as FaceTime, Skype and Google Hangouts, a researcher has warned.

There are several OS X malware families capable of recording sound and video, including Crisis, Eleanor and Mokes (DropboxCache). However, if such threats attempt to record video via the built-in webcam, the victim is alerted by the camera’s LED.

Researchers demonstrated in 2013 that the interlock between the camera and the indicator LED can be bypassed without admin privileges or physical access on some older iMacs and MacBooks (e.g. from 2008), but similar attacks have not been demonstrated in more recent years and they are believed to be very difficult to carry out.

Patrick Wardle, director of research at Synack, pointed out that while OS X malware can have trouble recording video through the webcam without alerting the victim, threats could piggyback on legitimate applications to silently spy on users.

When an application such as FaceTime or Skype enables the built-in webcam, users expect the LED indicator to be on. A piece of malware that can monitor the infected system for legitimate user-initiated video sessions can surreptitiously piggyback on this session and secretly record the victim.

Wardle has developed proof-of-concept (PoC) malware that can detect the installed camera and monitor its status in an effort to determine when a video session is initiated and when it ends. If it detects a session, the malware begins recording audio and video data, and it stops when the process that started the session exits.

It’s worth noting that the malware does not actually need to inject code into the targeted process. Instead, it uses the existing session and the enabled LED indicator to record data from the webcam without being detected.

There are several advantages to this type of malware, including that it does not require root privileges (i.e. the attack can be performed by any non-sandboxed code or app), and it leverages legitimate features of the operating system, which makes it more difficult to prevent.

Wardle told SecurityWeek that he is not aware of any OS X malware family that has been leveraging this technique in the wild, but he believes such threats would not be difficult to create.

The researcher said he had an informal chat with Apple regarding the attack method, but it’s unlikely that the company will attempt to address the issue anytime soon.

“I’ll be the first to caveat it’s not a vulnerability, nor exploit,” Wardle said via email. “Sure, I’d like to know whenever somebody uses the webcam or mic (especially if a session is already active) - would be nice if the OS told you that. But from a usability point of view, it makes sense that the webcam is a shared resource (like you can FaceTime and take images with PhotoBooth at the same time). I doubt Apple will do anything about this - and honestly I’m not sure they should.”

Concerned users can install a new tool developed by Wardle specifically for these types of attacks. The application, named OverSight, runs in the background and monitors the computer’s microphone and webcam via user-mode APIs, alerting the user when these components become active.

In the case of the microphone, OverSight only notifies the user that it has become active, but webcam notifications include the name of the process that wants to access the camera and allows users to permit or block the action.

OverSight Tool

This is not the first OS X security tool developed by Wardle. Earlier this year, he released RansomWhere?, an application designed to generically detect ransomware attacks by continually monitoring the system for the creation of encrypted files by suspicious processes.

Related: Little Snitch Flaw Exposed Mac Systems to Attacks

Related: Apple's Gatekeeper Bypassed Again

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.