PINDROP BLOG

New Attack Invisibly Monitors Mac Video Calls

There have been a number of pieces of malware to emerge in the last few years that have the ability to hook into the microphone and camera of infected machines, allowing attackers to record private conversations of targeted users. Now a researcher is releasing a new tool that can detect and alert Mac users to hidden processes exhibiting this behavior.

The tool, called OverSight, is the work of Patrick Wardle, an accomplished security researcher who has discovered a number of security weaknesses in Apple products, including methods for bypassing the Gatekeeper protections in OS X. Earlier this year Wardle released a tool called RansomWhere? that has generic detection capabilities for OS X ransomware variants. His new project is designed to protect users from the numerous kinds of malware circulating that can spy on victims’ audio and video conversations.

Wardle is releasing the tool today at the Virus Bulletin conference, where he also will present research on a technique that can stealthily monitor the webcam and mic on OS X machines.

“One of the most insidious actions of malware, is abusing the audio and video capabilities of an infected host to record an unknowing user. Macs, of course, are not immune; malware such as OSX/Eleanor, OSX/Crisis, OSX/Mokes, and others, all attempt to spy on OS X users. OverSight constantly monitors a system, alerting a user whenever the internal microphone is activated, or the built-in webcam is accessed,” Wardle said in a post about the new tool.

“And yes, while the webcam’s LED will turn on whenever a session is initially started, new research has shown that malware can surreptitious piggyback into such existing sessions (FaceTime, Sykpe, Google Hangouts, etc.) and record both audio and video – without fear of detection.”

Many high-level attackers, including APT groups and intelligence agencies, use tools that target the webcam and microphone on infected machines. This gives them a way to monitor the otherwise private communications of their targets, which can include FaceTime, Skype, or other video chat apps. Wardle said that while OverSight can protect against certain behaviors of this kind of malware, there likely are ways to defeat it.

“As with any security tool, direct or proactive attempts to specifically bypass OverSight’s protections will likely succeed. Moreover, the current version over OverSight utilizes user-mode APIs in order to monitor for audio and video events. Thus any malware that has a kernel-mode or rootkit component may be able to access the webcam and mic in an undetected manner,” he said.

Wardle’s technique for monitoring users’ video call sessions would not be visible to the victim, because it would kick in while a session was already in progress, so the webcam light already would be on.

“After examining various ‘webcam-aware’ OS X malware samples, the research will show a new ‘attack’ that would allow such malware to stealthily monitor the system for legitimate user-initiated video sessions, then surreptitious piggyback into this in order to covertly record the session. As there are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection,” Wardle’s research abstract says.