Developer-signed Mac spyware found on Angolan activist's computer
Previously unknown Mac OS X spyware, signed with a valid Apple Developer ID, has turned up on the laptop of an activist from Angola at a human rights conference in Norway.
Security researcher and privacy activist Jacob Appelbaum found the spyware on the activist’s Mac at the Oslo Freedom Forum earlier this week.
The activist’s computer was compromised as a result of a spear phishing attack, Appelbaum said Thursday on Twitter. The researcher claims that he has copies of the attack emails and two different malware samples.
Security researchers from Finnish antivirus firm F-Secure analyzed one of the malware samples and concluded that it is a previously unknown Mac backdoor program which appears to be signed with a valid Apple Developer ID.
Apple’s Developer ID program allows developers to sign their Mac applications with trusted digital certificates issued by Apple so they don’t get flagged as malware by the Gatekeeper feature in Mac OS X Mountain Lion.
“Signing your applications, plug-ins, and installer packages with a Developer ID certificate lets Gatekeeper verify that they are not known malware and have not been tampered with,” Apple says on its developer website. In theory, that should also allow Apple to specifically revoke the certificate for this app, preventing it from running.
The malware, which F-Secure now detects as OSX/KitM.A, takes screen shots without authorization and saves them in a folder for later uploading to remote servers. The malware contacts two command-and-control domains hosted on servers in the Netherlands, according to F-Secure’s analysis.
Antivirus firm Symantec has also added detection routines for the new threat, which it calls OSX.Kitmos. In addition to taking screen shots, this Trojan program can download and install other malware and steal information, the company said in a technical document on its website.
The malware can execute commands on behalf of attackers, can upload files from the compromised computer and can manipulate the network activity indicator in order to hide its presence, Symantec said.
Answering a question on Twitter on whether he plans to make copies of the spear phishing emails public, Applebaum said that he’s likely to write a blog post about it, but after first talking with the victim about some of the details since their life might be in danger.