Malware caught using a macOS zero-day to secretly take screenshots

Until today, malicious hackers have been exploiting a vulnerability in the latest macOS, allowing access to the microphone, webcam, recording the screen, or even taking screenshots on infected Macs. All of this happens without the user knowing or granting permission.

This scary attack is finally getting patched with the latest macOS 11.4 update released on May 24th, 2021. If you haven’t already, update your machine today, then get an antivirus app. The zero-day was exploited by XCSSET, a piece of nasty malware discovered by security firm Trend Micro last August. XCSSET used what at the time were two zero-days aimed at developers, specifically their Xcode projects, which then got passed on to regular users.

This activity was discovered during analysis of XCSSET that they made “after noting a significant uptick of detected variants observed in the wild,” researchers said. Apple so far has not provided specific details about the vulnerability in its entry in the CVE database.

The flaw works by bypassing the Transparency Consent and Control (TCC) framework, which controls what resources applications have access to, “such as granting video collaboration software access to the webcam and microphone, in order to participate in virtual meetings,” according to the Jamf post. “The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent–which is the default behavior,” researchers said.

Jamf researchers Jaron Bradley, Ferdous Saljooki, and Stuart Ashenbrenner explained in a blog post, shared with TechCrunch, that the malware searches for other apps on the victim’s computer that are frequently granted screen-sharing permissions, like Zoom, WhatsApp and Slack, and injects malicious screen recording code into those apps. This allows the malicious code to “piggyback” the legitimate app and inherit its permissions across macOS. Then, the malware signs the new app bundle with a new certificate to avoid getting flagged by macOS’ built-in security defenses.

The researchers said that the malware used the permissions prompt bypass “specifically for the purpose of taking screenshots of the user’s desktop,” but warned that it was not limited to screen recording. In other words, the bug could have been used to access the victim’s microphone, webcam or capture their keystrokes, such as passwords or credit card numbers. It’s not clear how many Macs the malware was able to infect using this technique. But Apple confirmed to TechCrunch that it fixed the bug in macOS 11.4, which was made available as an update today.