macOS malware was quietly taking screenshots of users' screens

Why we don’t know. But Apple says it has patched the flaw that allowed for the privacy breach.

Detail of the fingerprint scanner on a 16-inch Apple MacBook Pro laptop computer, taken on October 2...
T3 Magazine/Future/Getty Images

Apple has released an update for macOS that patches a vulnerability which allowed malware to bypass permissions prompts and quietly record users’ screens without their knowledge.

The malicious software, called XCSSET, was first spotted by security researchers at Jamf in 2020. It works by targeting developers who make apps for macOS, infecting their projects so that they unwittingly distribute the malware to their users.

Once installed on a victim’s computer, the malware searches for installed apps that are frequently granted permission to share the screen, like Zoom, and then injects itself into the app’s file directory.

Bypassing Apple’s security — Apple’s macOS has strong built-in security defenses that put technical obstacles in the way of malicious apps. By default, the operating system will only install apps available from the App Store and developers otherwise identified by Apple. And apps must request permission from a user before they can record the screen.

But the malware in question went undetected. Developers downloaded an infected file somewhere on the web, and the malware then hid itself inside their legitimate apps, ones that users are accustomed to granting recording permissions. Once inside, the malware signed the updated app with the developer’s legitimate certificate, which is supposed to give users confidence what they’re installing is safe. Developers can have their certificate revoked by Apple if their apps are found to be malicious in nature (users can still download the unauthorized apps, but would have to adjust their default settings).

Capturing users’ screens could give the malware’s developers access to sensitive information. It’s been reported that XCSSET also used an exploit to steal cookies from the Safari browser, potentially giving the developers access to a person’s online accounts.

Malware is multiplying — Malware on macOS is a growing problem as the operating system becomes more popular and lucrative to target, but protections built into the OS make it difficult for code to do anything serious like delete files or encrypt storage in a ransomware attack. This malware that was detected by Jamf is concerning because normally, infecting a Mac requires downloading shady software and dismissing a series of warnings from Apple in order to run it. Viruses haven’t tended to do well on macOS because a series of firewalls have to be bypassed, whereas on Windows security measures were historically lighter.

Apple told TechCrunch that macOS version 11.4 was made available yesterday and patches the vulnerability that XCSSET used. It urges everyone to install the update as soon as possible.