appleinsider logo
Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

New Mac malware can remotely access FaceTime camera, but macOS Gatekeeper users are protected

A new piece of Mac-targeting malware is in the wild, potentially allowing hackers to remotely execute code and even control the FaceTime camera on a user's computer, but Apple's own Gatekeeper security prevents the unsigned app from being installed.

The newly unleashed EasyDoc Converter installs a wide array of malware on a victim's computer — but it isn't signed by Apple, which means the Gatekeeper tool in macOS should adequately protect users with default settings. Researchers at Bitdefender published an analysis detailing the malware package this week, dubbing it "Backdoor.MAC.Eleanor."

The malware is hidden inside a fake file converter application named "EasyDoc" Once users install the nonfunctional software, it downloads a malicious script.

Following installation of the app, it will fetch a number of tools that can access the FaceTime camera, download files, execute commands, and even send emails with attached files.

The remote FaceTime camera access is possible through an open-source camera access tool known as "wacaw." The EasyDoc Converter also includes a Tor hidden service, allowing attackers to remotely control the machine.

However, users who have Apple's Gatekeeper security package enabled on their Mac — as it is by default — are said to be protected.

Additionally, an Internet connection monitoring application like Little Snitch can be used to monitor and block incoming and outgoing tranmissions. Additionally, utilities similar to Patrick Wardle's BlockBlock can prevent installation of persistent components such as malware. AppleInsider tested an installation of the malware, and as of yet, Apple's integrated Xprotect has not been updated to stop the recently discovered malware.

Today's revelation of the "Backdoor.MAC.Eleanor" malware is the second OS X specific discovery in 2016, not including adware. In March, a bogus version of BitTorrent client Transmission was uploaded to its file repository, and was downloaded by unsuspecting users 6,500 times in its brief availability. It was ultimately stopped by an Xprotect update, and removal instructions were posted by the legitimate Transmission developers.

Regarding the Backdoor.Mac.Eleanor installation, computer forensics expert Jonathan Zdziarski told The Register that the package "could be serious for users who ran the program, but of course the lesson (as always) is to be careful what you install on your computer."

The EasyDoc Converter application was removed from MacUpdate overnight, and was never available on the Mac App Store.