Newly discovered Mac/Linux malware ‘Fruitfly’ watches your every move

“A Mac malware that’s been spying on biomedical research centers may have been circulating undetected for years, according to new research,” Michael Kan reports for IDG News Service.

“Antivirus vendor Malwarebytes uncovered the malicious code, after an IT administrator spotted unusual network traffic coming from an infected Mac,” Kan reports. “The malware, which Apple calls Fruitfly, is designed to take screen captures, access the Mac’s webcam, and simulate mouse clicks and key presses, allowing for remote control by a hacker, Malwarebytes said in a blog post on Wednesday.”

“Malwarebytes found evidence suggesting that Fruitfly has been infecting Macs undetected for at least few years. For instance, a change made to the malicious coding was done to address OS X Yosemite, which was launched in Oct. 2014,” Kan reports. “Reed said this malware has remained undetected probably because it’s been used ‘in very tightly targeted attacks, limiting its exposure.’ Apple has already released an update that protects Macs from Fruitfly infections.”

Read more in the full article here.

“The first Mac malware of 2017 was brought to my attention by an IT admin, who spotted some strange outgoing network traffic from a particular Mac. This led to the discovery of a piece of malware unlike anything I’ve seen before, which appears to have actually been in existence, undetected, for some time, and which seems to be targeting biomedical research centers,” Thomas Reed explains for Malwarebytes. “The malware was extremely simplistic on the surface, consisting of only two files.”

SHA256: ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044

SHA256: 83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3

“These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days,” Reed writes. “In addition, the binary also includes the open source libjpeg code, which was last updated in 1998… There is a comment in the code in the macsvc file that indicates that a change was made for Yosemite (Mac OS X 10.10), which was released in October of 2014. This suggests that the malware has been around at least some time prior to Yosemite’s release.”

Read more in the full article here.

MacDailyNews Take: Yet another example of why we’ve been taping our Macs’ iSight cameras for years!

How to get an alert in macOS when an app accesses the webcam or microphone – October 7, 2016
Former NSA staffer demonstrates Mac malware that can tap into live webcam and mic feeds – October 6, 2016
Mark Zuckerberg covers his MacBook’s camera and microphone with tape – June 22, 2016
How to disable the iSight camera on your Mac – February 19, 2015
Orwellian: UK government, with aid from US NSA, intercepted webcam images from millions of users – February 27, 2014
Sextortion warning: It’s masking tape time for webcams – June 28, 2013
Research shows how Mac webcams can spy on their users without warning light – December 18, 2013
Ex-official: FBI can secretly activate an individual’s webcam without indicator light – December 9, 2013
Lower Merion report: MacBook webcams snapped 56,000 clandestine images of high schoolers – April 20, 2010


  1. PC webcam hijacking stories started 15 years ago or more. My recollection at the time was that the LED indicators for an active camera were software controlled on many Windows PCs. As a result, malware could turn off the indicator light while spying. In contrast, cameras built into Macs used an LED indicator hardwired into the power circuit for the camera. Therefore, if the camera is on, the LED light is on.

    That is my recollection – does anyone have any information to support or refute it? Are current Macs designed in the same manner?

    1. I am very surprised that MDN, with it’s usual ‘Macs are safe’ views (with which I agree) continues to promote the taping of cameras without investigating and coming up with definitive answers. The idea you need to tape the camera flies in the face of so much MDN otherwise promotes, yet they seem to dive right in on the idea with gusto. Very odd.

      I don’t know the answer, but like many assumed it was hard wired.

      There is a discussion (link below) where someone claimed the inability of the apps Prey and Undercover (if true) to do this strongly suggests it cannot be done.

    2. So, you’re OK if they only take very brief snapshots, where you might not notice a quick locker of the green activity light?

      Think about it – if they take a quick snapshot, you probably won’t notice the green light flick on-and-off.

  2. Perhaps I am mistaken, but it was my understanding Apple has already patched for this. And since it had an 85% adoption rate, this is already a dead-issue – those who don’t remain current have noone but themselves to blame.

    I dislike articles (and those who write them) that sensationalize non-events at Apple’s expense. And unless I am wrong, this smacks of precisely that. We should all know by now that any “horrific” malware scenario propagated by someone who makes a living selling anti-malware software is not merely biased, but purposely misleading.

  3. This smacks of government spying or corporate espionage. Given the description, us regular folks have little to fear, but if you work in bio-med, it’s a good idea to check for unusual files, especially .anythng. But maybe .client is something nobody would technically notice, if it’s a throwback from 80’s UNIX.

    Very interesting. Rest assured now that Apple has blocked it, expect it to be updated and show up elsewhere. Stay vigilant.

    1. In other news, Henny say’s the sky is falling. Film at 11

      Let’s review what little facts there are. One Mac was found with this issue, not all at this site, certainly not every bio med research center. Since it didn’t reproduce, it was likely physically inserted into the machine. Given the poorly written code, some tech was testing out his programming skills, certainly no government takeover.

      Click bait

    2. Which government(s)?

      Why do you not suspect corporate espionage?

      Why do we continue to assume Apple is on top of this stuff? MacOS has required as many security patches the last 5 years as any other platform.

    3. A dot file is typically treated as hidden in most *nix OSs. This malware was installed at the root of the user space ~/ with a launch agent at ~/Library/LaunchAgents. It is not uncommon to see malware on macOS take this form. Installing into the user space does not require privilege escalation, nor any vulnerability exploit. Frequently you will see fake flash installers or fake video codecs used to trick users on macOS to install garbage into ~/, usually internet plugins to generate ad revenue. The entire system is not compromised, and the bad actor doesn’t have access to anything in other user spaces, or that requires privilege escalation. Locking this down any further would be an undue burden to to the average user. While the installation vector is unknown it is very likely a specific person, or group of people were targeted with well crafted social engineering to install something and the user themselves inadvertently had a hand in the installation.

      It existed and was functionally able to do whatever a user could do, and limited in that nature as well. The mundaneness of it’s design is not the interesting part, what is interesting is what it was doing, basically taking screenshots and other recording of user activity of the user it was installed in, then exfiltrating that data to an external location, for years. The addresses data was being sent to are known to be of some concern It was designed to log user activity and keep quiet, in deference to much malicious software that is more “loud”. This wasn’t the standard unwanted ad plugin dropped in ~/Library/Internet-Plugins.

      It was only noticed when the malicious script downloaded an additional tool (afpscan) and attempted to make a clumsy scan for AFP shares. It’s believed this was part of a mechanism to try to spread, but appears to have been unsuccessful.

      Biology and medical research organizations tend to have a high percentage of *nix and macOS users, the cross-platform nature of the perl script indicates, again, that it was targeting this industry.

      During normal operation the light is supposed to come up on the built in webcam, there are ways around that, this malware attempted to make calls of that nature.

  4. Taping the camera over for years is one thing. But everyone is still posting their private pictures on favebook and instagram. Kind of beats the point of taping over the camera. Most of the time.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.