Alleged author of creepy FruitFly macOS malware arrested

Posted by   Martijn Grooten on   Jan 11, 2018

It is almost a year since the mysterious FruitFly malware for macOS was discovered. Malware targeting macOS is still uncommon enough to be newsworthy, but FruitFly seemed particularly interesting: its spying capabilities, combined with the fact that it had managed to stay under the radar for many years, led many to postulate that it was some kind of creepy nation-state malware.

Now, following the recent arrest of the suspected author of FruitFly, we can be fairly certain that it wasn't a nation state that developed FruitFly – but creepy it certainly was.

The 28-year-old Ohio resident under arrest is believed to have used the malware – which could, among many other things, record audio and video – to spy on a a large number of victims. What exactly was the purpose of these activities isn't clear from the indictment, but it is telling that the author was sent an alert whenever an infected user 'typed certain words associated with pornography'.

The defendant is also accused of having produced child sexual abuse material, though it is unclear whether these charges are related to the malware.

Though the vast majority of malware seen in the wild has a purely financial motive and thus goes after your Bitcoin wallet and your PayPal password rather than your private photos, there are some notable exceptions. A VB2017 presentation by Joseph Cox looked at the threat of consumer spyware used by stalking (ex-)partners; FruitFly demonstrates that complete strangers are also using malware for very creepy purposes.



Patrick Wardle describes FruitFly at VB2017.

Another VB2017 paper, by Synack's Patrick Wardle, presented a detailed technical analysis of one particular FruitFly variant, by analysing it through a custom C&C server. The paper is available to read online and the video of Patrick's presentation is available on our YouTube channel.




Latest posts:

VB2017 paper: The life story of an IPT - Inept Persistent Threat actor

At VB2017 in Madrid, Polish security researcher and journalist Adam Haertlé presented a paper about a very inept persistent threat. Today, we publish both the paper and the recording of Adam's presentation.

Five reasons to submit a VB2018 paper this weekend

The call for papers for VB2018 closes on 18 March, and while we've already received many great submissions, we still want more! Here are five reasons why you should submit a paper this weekend.

First partners of VB2018 announced

We are excited to announce the first six companies to partner with VB2018.

VB2018: looking for technical and non-technical talks

We like to pick good, solid technical talks for the VB conference programme, but good talks don't have to be technical and we welcome less technical submissions just as much.

Partner with VB2018 for extra visibility among industry peers

Partnering with the VB conference links your company to a successful and well-established event, demonstrates your commitment to moving the industry forward, allows you to meet potential clients, be visible to industry peers and build lasting…