This Mac Malware Can Take Screenshots of Your Computer
Apple has previously touted the fact that Macs are virus-free, and while Apple certainly has good anti-malware software, their machines are far from immune to infections . And with Macs becoming more popular than ever, there’s even more potential malware out there ready to steal your data and ruin your day. The latest version can even take screenshots of what’s on your Mac’s monitor without your knowledge.
Kanji researchers have discovered a threat targeting Mac computers, and it’s not good news. Kanji reveals that this new malware, which they call “Cuckoo”, is a mixture of spyware and information thief. They found it in applications hosted on the website DumpMedia, which supposedly converted songs from streaming services to MP3.
When the researchers downloaded one of these apps, they noticed that the DMG that lets you install the app on your Mac had different installation instructions than most DMGs: Instead of dragging the app into the Applications folder, this DMG instructed users to click Right-click the application and select Open. Unbeknownst to many users, this action bypasses several security features that serve as the first line of defense for newly installed applications downloaded from the Internet.
Instead of following these suspicious instructions, researchers select “Show package contents” to see what the app is hiding. While they found a legitimate “DumpMedia Spotify Music Converter” package, they also found a suspicious executable file that did not have a developer ID. This typically triggers Apple’s Gatekeeper program, which blocks the app from opening—so attacker developers encourage potential victims to unwittingly bypass this protection.
The researchers then tested the software by opening it and found that it immediately began collecting information about the machine and running a long list of processes. Interestingly, the program will not continue working if it detects that the computer is located in Armenia, Belarus, Kazakhstan, Russia or Ukraine. After additional processes, it quietly asks for your password with the prompt “macOS requires access to system settings.” As soon as you enter it, the program will save your password. It then checks that the password is correct.
From here, the program asks for permission to access the Finder, downloads, and your microphone, then proceeds to collect information about your Mac’s hardware before deleting files from Safari (including bookmarks, cookies, and history), notes, and Keychain (which contains your passwords). As if that weren’t aggressive enough, the malware then initiates a screenshot function, even muting your speakers every time a screenshot is taken so you don’t hear the sound and have no idea what’s going on.
However, there is a real program that works as advertised, keeping the victim in the dark about all the nefarious processes going on in the background. According to researchers, DumpMedia is just one site that hosts these malicious applications. Others, such as TuneSolo, FoneDog, TunesFun, and TuneFab, contain similar stream conversion apps as well as Android recovery tools containing the same malware.
How to protect your Mac from this and other malware
This story serves as a good reminder to be careful when downloading apps directly from the internet onto your devices, be it a Mac, PC, Android, or iOS device (at least in the EU). While there are many legitimate apps online (as opposed to app stores like Google Play or the iOS App Store), many of them aren’t, so it’s important to review each program before downloading it.
Research the app and see if others have had positive experiences with it and its host site. Speaking of which, it’s safest to download apps from the developer itself: for example, if DumpMedia hosts a third-party app, it’s riskier than if the app developer offers it directly.
Also, never bypass your Mac’s built-in malware protection. You might not know that right-clicking an app and opening it instead of dragging it to your Applications folder bypasses Gatekeeper, but it does. If you’re following the normal process and macOS tells you there’s a problem with an app, trust it. Whenever possible, download your apps from the official Apple App Store, and when not, be extra careful.