Alleged author of creepy FruitFly macOS malware arrested

Posted by   Martijn Grooten on   Jan 11, 2018

It is almost a year since the mysterious FruitFly malware for macOS was discovered. Malware targeting macOS is still uncommon enough to be newsworthy, but FruitFly seemed particularly interesting: its spying capabilities, combined with the fact that it had managed to stay under the radar for many years, led many to postulate that it was some kind of creepy nation-state malware.

Now, following the recent arrest of the suspected author of FruitFly, we can be fairly certain that it wasn't a nation state that developed FruitFly – but creepy it certainly was.

The 28-year-old Ohio resident under arrest is believed to have used the malware – which could, among many other things, record audio and video – to spy on a a large number of victims. What exactly was the purpose of these activities isn't clear from the indictment, but it is telling that the author was sent an alert whenever an infected user 'typed certain words associated with pornography'.

The defendant is also accused of having produced child sexual abuse material, though it is unclear whether these charges are related to the malware.

Though the vast majority of malware seen in the wild has a purely financial motive and thus goes after your Bitcoin wallet and your PayPal password rather than your private photos, there are some notable exceptions. A VB2017 presentation by Joseph Cox looked at the threat of consumer spyware used by stalking (ex-)partners; FruitFly demonstrates that complete strangers are also using malware for very creepy purposes.

 

Patrick-W-VB2017.jpg

Patrick Wardle describes FruitFly at VB2017.

Another VB2017 paper, by Synack's Patrick Wardle, presented a detailed technical analysis of one particular FruitFly variant, by analysing it through a custom C&C server. The paper is available to read online and the video of Patrick's presentation is available on our YouTube channel.

 

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2018 video: Shedding skin - Turla's fresh faces

Today, we have published the video of a VB2018 presentation by Kaspersky Lab researchers Kurt Baumgartner and Mike Scott, who looked at the latest activity of the Turla group.

VB2018 video: Triada: the past, the present and the (hopefully not existing) future

Today we publish the video of the VB2018 presentation by Google researcher Lukasz Siewierski on the Triada Android malware and Google's work with OEMs to remove it from infected devices.

VB2018 paper: Uncovering the wholesale industry of social media fraud: from botnet to bulk reseller panels

Today, we publish the VB2018 paper by Masarah Paquet-Clouston (GoSecure) who looked at the supply chain behind social media fraud.

VB2018 paper: Now you see it, now you don't: wipers in the wild

Today, we publish the VB2018 paper from Saher Naumaan (BAE Systems) who looks at malware variants that contain a wiper functionality. We also publish the recording of her presentation.

Emotet trojan starts stealing full emails from infected machines

The infamous Emotet trojan has added the capability to steal full email bodies from infected machines, opening the possibilities for more targeted spam and phishing campaigns.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.