New Mac malware in the wild: ‘Backdoor.MAC.Elanor’ can control FaceTime camera, steal data, more

“After the first ever example of Mac ransomware was found in the wild earlier this year, Bitdefender Labs has found what it tells us is only the second example of true Mac malware to enter circulation this year, which it has dubbed Backdoor.MAC.Elanor,” Ben Lovejoy reports for 9to5Mac.

“The app is available on a number of (formerly?) reputable download sites such as MacUpdate,” Lovejoy reports. “‘The backdoor is embedded into a fake file converter application that is accessible online on reputable sites offering Mac applications and software. The EasyDoc Converter.app poses as a drag-and-drop file converter, but has no real functionality – it simply downloads a malicious script. This is a nasty backdoor that can steal data, execute remote code and access the webcam, among other things…'”

Read more in the full article here.

MacDailyNews Take: Let’s be careful out there.

Once again: We’ve been taping our Mac cameras for several years. Call us paranoid, but first see the related articles below — or the one above! That’s why we use camJAMR iSight camera covers on our iMacs and MacBook Airs. They’re black, so they work perfectly with our iMacs and they’re removable/reusable. We’ve stuck and unstuck them hundreds of times. We just leave them on and peel them aside when we want to use the iSight camera. Plus they’re only $15.

SEE ALSO:
Mark Zuckerberg covers his MacBook’s camera and microphone with tape – June 22, 2016
How to disable the iSight camera on your Mac – February 19, 2015
Orwellian: UK government, with aid from US NSA, intercepted webcam images from millions of users – February 27, 2014
Sextortion warning: It’s masking tape time for webcams – June 28, 2013
Research shows how Mac webcams can spy on their users without warning light – December 18, 2013
Ex-official: FBI can secretly activate an individual’s webcam without indicator light – December 9, 2013
Lower Merion report: MacBook webcams snapped 56,000 clandestine images of high schoolers – April 20, 2010

17 Comments

  1. I assume that the user has to authenticate to actually install this stuff, and its unfortunate that MacUpdate and perhaps other software archives get sucked into posting these apps without any verification of whether it does what it says it does or that its not doing something potentially malicious

    1. Unfortunately MacUpdate has gone downhill fast (haven’t they been taken over?). I nearly spit my coffee on the keyboard when I downloaded an app a few months ago (Skype) and MacUpdate had embedded it in its own installer that offered to install “the premium Mac cleanup utility” for free for me. Yup. MacKeeper, a known malware.

      Lots of complaints on the site which were deleted, and they still try to install crapware. I just use it to see what is new, but no longer download from them.

      1. Regarding MacUpdate:

        – It was not taken over.
        – If you don’t log into their website, you’ll commonly find your downloads have an adware installation wrapper called ‘MacUpdate Installer’. I avoid using this installer entirely. You’re on your own if you use it. Be careful.
        – The website has become somewhat lazy about keeping up-to-date. But it remains the single best site for Mac software updates and user reviews. It’s sad that they’ve decided to subject non-logged in users to their adware installer. It’s all about marketing and making money. Let’s hope it doesn’t get worse.

        1. “Nevertheless, MacUpdate has experienced a more than 50% rise in its Alexa Traffic rating [1] since its new partnership with Adroll, a global cross-site, cross-platform retargeting advertisement company”

  2. Apple could probably easily add a shutter or somehow disable the camera and mic pickups unless failsafe authorized by the user to be used. The video and audio streams likewise could be encrypted only for local use.

    Leave something open on a system and some lonely social misfit moron somewhere will try to figure out a way to access it.

    1. It would be very simple to design it to be impossible to turn on the camera without also powering the led light. That’s requires very simple circuitry. The fact that Apple does not design it their webcam lights this way is really unsavory. Apple’s design has a separate microchip controlling the light independently of the powering the camera – that chip seems to serve no purpose other than making it possible to disable the camera indicator light through software.

  3. I don’t see it mentioned if the camera light comes on. For quite a while now, the hardware link to the camera light has been considered unhackable without physical access.

    Also, I think for camera and microphone macOS should offer a security question like iOS: “EasyDoc Converter wants to access your camera. Is that ok?”

        1. It’s a matter of code as to whether the light is on. There was proof a long while back that it’s possible to turn on the camera and NOT the light. I can dig around for documentation if you’re interested.

  4. I’m naked all the time in front of my Mac. I’m also fat and disgusting so I’m sure these creeps will block me once they get a full view. View me. As a punishment, my glorious disgusting mug and body will probably rehabilitate these creeps into going straight. lol

  5. Use a headless Mac and a monitor without a webcam, if you are paranoid enough.

    BTW- wouldn’t apps like Little Snitch pick up the malware trying to communicate by other means than approved?

  6. The name of the malware is spelled: Eleanor
    Or formally OSX.Trojan.Eleanor.A

    I wrote up a quick summary over at:
    http://mac-security.blogspot.com/2016/07/beware-new-mac-malware.html

    As long as you have Apple’s Gateway setup properly in your System Preferences and you don’t override its advice, you should be fine. Keep in mind that such malware can have ANY name, not just “EasyDoc Converter.app”. Therefore, until Apple protects against Eleanor via its XProtect system, don’t open any questionable files downloaded from the Internet. I’ll post a reply under this post and at my security blog when I’ve heard that XProtect has been updated.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.