Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Mac Malware Can Abuse Legitimate Apps to Spy on Users

OS X Malware Can Silently Record Video by Piggybacking on Webcam Streams

Mac malware could silently spy on users by piggybacking on webcam sessions initiated by legitimate applications such as FaceTime, Skype and Google Hangouts, a researcher has warned.

OS X Malware Can Silently Record Video by Piggybacking on Webcam Streams

Mac malware could silently spy on users by piggybacking on webcam sessions initiated by legitimate applications such as FaceTime, Skype and Google Hangouts, a researcher has warned.

There are several OS X malware families capable of recording sound and video, including Crisis, Eleanor and Mokes (DropboxCache). However, if such threats attempt to record video via the built-in webcam, the victim is alerted by the camera’s LED.

Researchers demonstrated in 2013 that the interlock between the camera and the indicator LED can be bypassed without admin privileges or physical access on some older iMacs and MacBooks (e.g. from 2008), but similar attacks have not been demonstrated in more recent years and they are believed to be very difficult to carry out.

Patrick Wardle, director of research at Synack, pointed out that while OS X malware can have trouble recording video through the webcam without alerting the victim, threats could piggyback on legitimate applications to silently spy on users.

When an application such as FaceTime or Skype enables the built-in webcam, users expect the LED indicator to be on. A piece of malware that can monitor the infected system for legitimate user-initiated video sessions can surreptitiously piggyback on this session and secretly record the victim.

Wardle has developed proof-of-concept (PoC) malware that can detect the installed camera and monitor its status in an effort to determine when a video session is initiated and when it ends. If it detects a session, the malware begins recording audio and video data, and it stops when the process that started the session exits.

Advertisement. Scroll to continue reading.

It’s worth noting that the malware does not actually need to inject code into the targeted process. Instead, it uses the existing session and the enabled LED indicator to record data from the webcam without being detected.

There are several advantages to this type of malware, including that it does not require root privileges (i.e. the attack can be performed by any non-sandboxed code or app), and it leverages legitimate features of the operating system, which makes it more difficult to prevent.

Wardle told SecurityWeek that he is not aware of any OS X malware family that has been leveraging this technique in the wild, but he believes such threats would not be difficult to create.

The researcher said he had an informal chat with Apple regarding the attack method, but it’s unlikely that the company will attempt to address the issue anytime soon.

“I’ll be the first to caveat it’s not a vulnerability, nor exploit,” Wardle said via email. “Sure, I’d like to know whenever somebody uses the webcam or mic (especially if a session is already active) – would be nice if the OS told you that. But from a usability point of view, it makes sense that the webcam is a shared resource (like you can FaceTime and take images with PhotoBooth at the same time). I doubt Apple will do anything about this – and honestly I’m not sure they should.”

Concerned users can install a new tool developed by Wardle specifically for these types of attacks. The application, named OverSight, runs in the background and monitors the computer’s microphone and webcam via user-mode APIs, alerting the user when these components become active.

In the case of the microphone, OverSight only notifies the user that it has become active, but webcam notifications include the name of the process that wants to access the camera and allows users to permit or block the action.

OverSight Tool

This is not the first OS X security tool developed by Wardle. Earlier this year, he released RansomWhere?, an application designed to generically detect ransomware attacks by continually monitoring the system for the creation of encrypted files by suspicious processes.

Related: Little Snitch Flaw Exposed Mac Systems to Attacks

Related: Apple’s Gatekeeper Bypassed Again

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...