What is Fruitfly? The near-undetectable Mac malware explained

What is Fruitfly? We take a closer look at the recently-uncovered Fruitfly malware and what it means for Mac users.

This year brought the revelation that a particularly insidious form of Mac malware has been operating on machines undetected for some time.

Dubbed Fruitfly, the malware gives hackers the ability to remotely control Mac computers, and now, new details about the malware and its new variants have come to light.

So, what do you need to know about Fruitfly? How can you protect yourself? Here’s all you need to know.

What is Fruitfly – Discovery

The malware was first discovered back in January 2017, with a blog post from anti-malware provider Malwarebytes highlighting its existence.

The post explained how Fruitfly infects Mac computers and is able to capture screenshots, control webcams, and even connect to other devices on the same network as the Mac. The malware also allows for access to computer’s files, giving hackers full control over the machines.

Related: Best Free Antivirus

At the time, it was suspected that the malware had been around since OS X Yosemite, which launched back in October 2014.

As the blog post explains: “This led to the discovery of a piece of malware unlike anything I’ve seen before, which appears to have actually been in existence, undetected, for some time, and which seems to be targeting biomedical research centers.”

This first version of the malware was said to be relatively unsophisticated, using just a hidden file and a launch agent to keep Macs infected.

What is Fruitfly – New variants emerge

Since January, when Apple patched the issue, new variants of Fruitfly have emerged and appear to have infected a wider number of computers. The malware has remained undetected by antivirus software and macOS throughout, making it a particularly insidious infection.

In July this year, former NSA hacker and chief security researcher at ‎Synack, Patrick Wardle, spoke to ZDNet about his in-depth analysis of the latest variant of Fruitfly malware.

Related: Best VPN

Wardle told ZDNet: “The most interesting feature is that the malware can send an alert when the user is active. I haven’t seen that before.” That means hackers are able to stop what they’re doing immediately when a user becomes active, increasing their chances of remaining undetected.

Despite its relative simplicity, the malware is full featured, even allowing hackers to send screenshots of the Mac display to themselves at varying levels of quality, so as to make their actions less detectable, or speed up the process on slow connections.

Most antivirus programs were previously unable to identify Fruitfly

During his analysis of Fruitfly, Wardle also found the malware provided hackers with the IP address, name of the user, and the computer name. The researcher found on one occasion, when almost 400 infected Macs connected to a registered server, that he was not only able to view the IP addresses and user names on those devices, but that he could have used the malware to easily spy on the users.

Unfortunately, there’s no way to know just how the malware infects computers. Wardle did speculate that Fruitfly could infect a machine via a malicious email attachment, however, or simply through a malicious link.

What is Fruitfly – Who’s behind the malware?

At this point, it remains unclear who created Fruitfly. Wardle did say he believes a single hacker, rather than a nation state attacker, was behind the malware, saying he thought the aim was to “spy on people for perverse reasons.”

It also remains unclear what the purpose of Fruitfly is at this point. It doesn’t install ransomware like many other forms of malware, so it doesn’t seem as though the creator’s intent was to steal financial information or make a profit.

However, it appears the primary command-and-control server for the malware has been shuttered, which suggests whoever is behind Fruitfly has abandoned it – again, there’s no way to know for sure, however.

Still, the infected Macs remain infected and will still report to the server when it is activated, meaning anyone who registers one of the hardcoded domains in the malware will be able to access the infected machines.

What is Fruitfly – Who’s affected?

Wardle is unable to say how many are affected by the malware, but did reveal that most of the 400 computers that connected to the server during his research were based in the US – though there didn’t appear to be any connection between the devices.

The number of infected users worldwide is likely much higher than 400, seeing as the malware has, according to Wardle, remained undetected for five years.

And it seems anyone could be the victim of a Fruitfly infection. The researcher told ZDNet: “You have to realise that this kind of re-exposes the fact that you can be an ordinary person and still be victim of a really insidious attack. This is just another illustration that Macs are just as vulnerable as any other computer.”

What is Fruitfly – How to protect yourself

Apple released security patches for Fruitfly earlier this year, but the newer variants of the malware which subsequently emerged are yet to be patched.

Wardle himself has developed two pieces of Mac software which would have helped Fruitfly victims identify the infection. The first, BlockBlock, would have been able to highlight the malware’s suspicious launch agent, while the second, Oversight, notifies users whenever an app tries to access a Mac’s webcam or microphone.

While Fruitfly remains undetected by many antivirus programs, the VirusTotal malware detection service recently appeared to show that 19 of the top 56 antivirus and endpoint protection products are now able to identify a Fruitfly infection.

What do you make of the whole thing? Tweet us @trustedreviews.