It is almost a year since the mysterious FruitFly malware for
macOS
was
discovered
. Malware targeting
macOS
is still uncommon enough to be newsworthy, but FruitFly seemed particularly interesting: its spying capabilities, combined with the fact that it had managed to stay under the radar for many years, led many to postulate that it was some kind of creepy nation-state malware.
Now, following the recent
arrest
of the suspected author of FruitFly, we can be fairly certain that it
wasn’t
a nation state that developed FruitFly – but creepy it certainly was.
The 28-year-old Ohio resident under arrest is believed to have used the malware – which could, among many other things, record audio and video – to spy on a a large number of victims. What exactly was the purpose of these activities isn’t clear from the
indictment
, but it is telling that the author was sent an alert whenever an infected user ‘typed certain words associated with pornography’.
The defendant is also accused of having produced child sexual abuse material, though it is unclear whether these charges are related to the malware.
Though the vast majority of malware seen in the wild has a purely financial motive and thus goes after your Bitcoin wallet and your
PayPal
password rather than your private photos, there are some notable exceptions. A
VB2017 presentation
by Joseph Cox looked at the threat of consumer spyware used by stalking (ex-)partners; FruitFly demonstrates that complete strangers are also using malware for very creepy purposes.
Patrick Wardle describes FruitFly at VB2017.
Another VB2017 paper, by
Synack
‘s Patrick Wardle, presented a detailed technical analysis of one particular FruitFly variant, by analysing it through a custom C&C server. The paper is
available to read online
and the video of Patrick’s presentation is available on our
YouTube
channel.
Leave a Reply