Mysterious Mac malware ‘FruitFly’ has infected hundreds of victims for years

“A mysterious piece of malware has been infecting hundreds of Mac computers for years — and no one noticed until a few months ago,” Lorenzo Franceschi-Bicchierai reports for Motherboard. “Earlier this year, an ex-NSA hacker started looking into a piece of malware he described to me as ‘unique’ and ‘intriguing.’ It was a slightly different strain of a malware discovered on four computers earlier this year by security firm Malwarebytes, known as ‘FruitFly.'”

“On the surface, the malware seemed “simplistic.” It was programmed mainly to surreptitiously monitor victims through their webcams, capture their screens, and log keystrokes. But, strangely, it went undetected since at least 2015. There was no indication of who could be behind it, and it contained ‘ancient’ functions and ‘rudimentary’ remote control capabilities, Malwarebytes’s Thomas Reed wrote at the time,” Franceschi-Bicchierai reports. “The second version of FruitFly is even more puzzling, according to Patrick Wardle, the former spy agency hacker who now develops free security tools for Apple computers and researches Mac security for the firm Synack. Wardle told Motherboard in a phone call that when he first discovered FruitFly 2, no anti-virus software detected it. More surprisingly, it looks like it has been lurking around for five or 10 years and infected several hundred users.”

Franceschi-Bicchierai reports, “FruitFly and FruitFly 2 are also mysterious: Neither Reed nor Wardle know its mechanism of infection — whether it takes advantage of a flaw in MacOS’s code, is installed via social engineering, or some other way.”

Read more in the full article here.

MacDailyNews Take: If we had to bet, we’d bet on social engineering.

Thomas Reed reports for MalwareBytes that Apple “has released an update that will be automatically downloaded behind the scenes to protect against future infections.”

“Ironically, despite the age and sophistication of this malware, it uses the same old unsophisticated technique for persistence that so many other pieces of Mac malware do: a hidden file and a launch agent,” Reed reports. “This makes it easy to spot, given any reason to look at the infected machine closely (such as unusual network traffic). It also makes it easy to detect and easy to remove.”

“The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure. There have been a number of stories over the past few years about Chinese and Russian hackers targeting and stealing US and European scientific research,” Reed reports. “Although there is no evidence at this point linking this malware to a specific group, the fact that it’s been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage.”

Read more in the full article here.


  1. Humph. I just posted a detailed comment describing tools useful for blocking the Fruitfly/Quimitchin malware on Macs. But incomprehensibly it was marked: “Your comment is awaiting moderation” which means it was sent into a black hole. Just note that I tried! I’ll be posting the same information over at my Mac-Security blog by tomorrow.

    Q: Is this a WordPress problem? Is it because I know HTML and used bolding code 7 times? Typically, when this happens it’s because I used more than two html links. But this time I used no html links. ∑ = annoying, especially when attempting to help people. /Humph.

    1. The bare tool list with no added html or explanation:

      • Little Snitch from Objective Development.
      • NetBarrier from Intego.
      • OverSight from Objective-See (aka Patrick Wardle).
      • Micro Snitch from Objective Development.

    2. No, there isn’t yet a write-up about Fruitfly/Quimitchin.B by Patrick Wardle because he’s giving presentations about it at BlackHat this week and DEF CON next week. Check out Patrick Wardle on Twitter here:

      stoked to present FruitFly.B at @BlackHatEvents & @defcon. Mahalo @thomasareed (analysis of variant .A) & @noarfromspace for sharing hash 🙏🙏

    3. I suspect with the very limited distribution of the malware over a long period of time that the most likely means of promulgation is physical access to the targeted Mac. If it were phishing or a Trojan, it would have been discovered long ago. This smacks of something someone is physically installing on the targeted computers when they have access at the keyboard.

  2. When setting up your site, you might want to exclusively pick out elements that will favorably impact the goals of the website. One component of an internet site exactly where this is also true is images.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.