First Mac Malware ‘Fruitfly’ Of The Year Uses Decades-Old Code

The Fruitfly Mac malware, which targets biomedical research institutions, uses code that dates back to the 1990s

Researchers have discovered malware targeting Mac systems that may have operated undetected for decades, targeting biomedical research facilities.

Computer security firm Malwarebytes was alerted to the code by a system administrator who noticed odd outgoing traffic from a Mac and quickly uncovered the malware, which is being called Fruitfly by Apple.

1984 Apple Macintosh

Targeted attacks

While the code is sophisticated in some ways, it isn’t particularly difficult to detect, suggesting it has only been used in a few targeted attacks, Malwarebytes said.

The malware may have been used by unidentified nation-states to steal scientific research, said Malwarebytes’ directof of Mac offerings Thomas Reed.

“Although there is no evidence at this point linking this malware to a specific group, the fact that it’s been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage,” he said in a blog post.

Fruitfly creates a backdoor that allows attackers to take screen captures and remotely control the system, Reed said.

Old code

He noted that the system calls it uses for screen captures and webcam access go back in some cases to before Mac OS X – which was launched in 2001. The binary also uses open source libjpeg code that was last updated in 1998.

“We shouldn’t take the age of the code as too strong an indication of the age of the malware,” he added. “This could also signify that the hackers behind it really don’t know the Mac very well and were relying on old documentation. It could also be that they’re using old system calls to avoid triggering any kind of behavioral detections that might be expecting more recent code.”

One of the malware’s components had a creation date of January 2015, a comment in one file indicates a change was made for Mac OS X 10.0, released in October 2014, and the command server used by Fruitfly was also used by two Windows executables uncovered in 2013, facts that suggest Fruitfly has been around for at least several years, Reed said.

The malware includes Linux system calls and Malwarebytes found almost all the components ran without problems on a Linux system, indicating there may be a Linux-targeted version in circulation.

Reed said Malwarebytes has informed Apple of the issue and the Mac maker plans to issue an update preventing future infections.

Malwarebytes said the incident should remind Mac users to be on their guard against security threats.

Do you know all about security? Try our quiz!