Mysterious Mac Malware Has Infected Hundreds of Victims For Years

An anonymous reader shares a report: A mysterious piece of malware has been infecting hundreds of Mac computers for years -- and no one noticed until a few months ago. The malware is called "FruitFly," and one of its variants, "FruitFly 2" has infected at least 400 victims over the years. FruitFly 2 is intriguing and mysterious: its goals, who's behind it, and how it infects victims, are all unknown. Earlier this year, an ex-NSA hacker started looking into a piece of malware he described to me as "unique" and "intriguing." It was a slightly different strain of a malware discovered on four computers earlier this year by security firm Malwarebytes, known as "FruitFly." This first strain had researchers scratching their heads. On the surface, the malware seemed "simplistic." It was programmed mainly to surreptitiously monitor victims through their webcams, capture their screens, and log keystrokes. But, strangely, it went undetected since at least 2015. There was no indication of who could be behind it, and it contained "ancient" functions and "rudimentary" remote control capabilities, Malwarebytes's Thomas Reed wrote at the time.

400 over 10 years?

More Window$ PCs were infected by malware while reading this post.

Re:Fruitfly

[alex67500]

Or because fruit flies like an apple?

Re:Guess

[DontBeAMoran]

Is it really a self-installing virus, or user-installed malware?

Best bet, but nothing is secure

[605dave]

I think Mac users stopped saying the Mac was immune about 10 years ago. My take on it is that out of the two major desktop options, Windows and Mac, the Mac is the safer bet. As is iOS over Android.

Linux isn't an option for me or most users on the desktop. Too complicated for average users, and for those who rely on creative apps no real options. (please don't tell me about open source alternatives to Photoshop, ProTools etc, they aren't as good. Apple products are not bullet proof, but I still believe for the average user and creative types they are the best option security wise.

Re:Best bet, but nothing is secure

[Anubis+IV]

Since when were Pro Tools and Photoshop Apple products?

He never suggested they were. He merely said that there were "no real options" for alternatives to those apps on Linux, a claim to which you provided no counterexamples. Then again, suggesting there are "no real options" sounds like a setup for a No True Scotsman fallacy, so I'm not sure that you would have been able to suggest anything to his satisfaction anyway.

Re:Best bet, but nothing is secure

[chmod+a+x+mojo]

Check out "darktable", it's a lightroom clone.

I poked at it a bit in one of my VMs, and it seems to work pretty decent... the only real complaints I had were the sliders being harder to grab, the mause grab area on each slider seems to be much smaller and more finicky than lightroom. I haven't tried importing, but if your camera is supported for USB transfer I would think it should be able to be poked enough to work.

Re:Best bet, but nothing is secure

[Darundal]

While you are in finder, enter in command + shift + period. Suddenly you can see all the hidden files and folders. Although it is predictably Apple that there wouldn't be an option or a checkbox for letting you view hidden files and folders.

Stalker Malware?

[mykepredko]

With the very low number of infections and the monitoring of the user through like the webcam, I would think this is a case where looking at the owners of the infected Macs would yield a lot more information about the author and its purpose.

I wouldn't be surprised if this was on the Macs of individuals who have had issues with stalkers in the past.

Re:Stalker Malware?

[swb]

I think the researcher should have at minimum done some kind of geomapping of the IPs responding to his C&C domain to see if there was a geographic pattern to the infections.

This kind of sounds like the work of a skilled amateur who didn't intend for this to spread much, like they were targeting a narrow group or place, maybe even one person and it just happened to spread but was limited by only spreading through USB drives or something.

For all we know, it could have just been a proof of concept somebody wrote and then forgot about.

Where's the "Mal"?

[methano]

If it's MALware, doesn't it have to do something MALicious? I can't see what this stuff does that is bad. It just sits around watching what you do and doesn't bother you. Nobody even noticed it for years. I think it should be called PALware, like some guy who comes over and sits in your garage and watches while you work on your car. A real PAL. And it doesn't even drink your beer.

Re:Where's the "Mal"?

[avgjoe62]

No, no, no, Mal DOES come over and sit in your garage (well, technically a hangar) and drink your beer. You see, they actually, they got the name of THIS code wrong. This is not Fruitfly, it's actually Firefly and that's why it's Malware...

Re:Guess

[MikeMo]

Apparently, according to TFA, no one knows how the infection occurs.

Re:Fruitfly

[sh00z]

I thought the punch line was "fruit flies like a banana."

Re:Guess

[Ol+Olsoc]

There were some claims in the past made by many people, that Mac's don't get computer virus's.

That's true. It is also completely wrong. ome people claim many things, and some people extrapolate that to many and even everyone. That is also completely wrong.

What the Mac is, is more resistant to viruses and malware than say - Windows.

Re:Guess

[Ungrounded+Lightning]

There were some claims in the past made by many people, that Mac's don't get computer virus's.

Which is particularly funny since I was handed decompiled code to a Mac virus (actually a sneakernet worm) back in the original Mac days. (I don't recall if it was before there WERE IBM PCs, let alone clones, or if it was just before PC malware was known.)

For many years, practiclly the beginnng of their deployment, there were worms, viruses, etc. on both. But those for Mac tended to be (relatively) harmless pranks - an animated bug crawling up the screen, animated trains (with sound effects) running across the menu bar and around the room on the apple-talk networked boxen, "bomb" boxes that dodged the mouse when you tried to dismiss them - while those for PCs tended to be damaging to data.

Macs were easy. In order to simplify the user experience the OS looked for (and ran if found) new drivers whenever you inserted a plastic-case floppy. What could POSSIBLY go wrong with that? B-b

Abandonware or an escaped experiment?

[Ungrounded+Lightning]

With a long history, a very small number of infected machines, and no active exploitation, I'd guess it's something someone was playing with that he's abandoned long ago or which "escaped from the lab" but didn't get far.

One of the hazards of self-propagatng code is that it does so on its own. So if, while under development, it finds a net connection to a set of vulnerable machines, it's out and spreading. Like before the command-and-control is debugged and/or the payload is ready to do its dirty work. (Thus it may be much nastier than the author(s) inteded.)

If it's GOOD at spreading it quickly saturates the vulnerable population and comes to the attention of users and security experts. If it's BAD at spreading its escape might not be noticed by the author at all - or by anyone else for years, if at all.

400 machines and a decade before it's noticed seems about right.

Re:Guess

[Chas]

No. What the Mac is, is more resistant to WINDOWS-based viruses and WINDOWS-based malware.

By it's nature, it's vulnerability to viruses and malware differs from that of Windows. It is NOT, as some dummies would claim, "immune".

Re:Guess

[Ol+Olsoc]

No. What the Mac is, is more resistant to WINDOWS-based viruses and WINDOWS-based malware.

By it's nature, it's vulnerability to viruses and malware differs from that of Windows. It is NOT, as some dummies would claim, "immune".

Umm, I know you'd like to rage, but while you disagree with me, that's exactly what I said. They aren't immune.

But Windows machines are inherently more vulnerable overall.

I do know I've never cleaned up a virus infected Mac, and most of them run bareback. Windows machines? Many. Now turn off your firewall and Windows defender, please, and let me know how it works out for ya.