Apple

Is Your Mac Spying On You? Maybe It Should be

What would you call software installed on your Mac, that’s hidden from sight, difficult to remove, and that silently monitors everything that happens on the system? You might call it spyware, or a RAT (Remote Access Trojan), and start thinking about how best to get rid of it.

However, that same description can also be applied to the software that’s used to keep your machine safe from such threats. Security solutions like EDR (Endpoint Detection and Response) and DLP (Data Loss Prevention) are also designed to quietly keep tabs on the data coming and going on your devices, and report back if they find anything that looks suspicious.

The main, obvious difference between the forces of Good and the forces of Evil are who they report back to. That, and the fact that the baddies usually don’t display their logo as an icon in your menu bar.

Persistence and Perseverance

Something else that both legitimate and malicious software have in common is persistence. When your job is to secure and protect a customer’s computer, the last thing you want is that same customer removing the tools you’ve installed. Sometimes, it will be an innocent mistake—they didn’t know what that application was doing there, so it didn’t seem like a problem if they uninstalled it. Other times, the user will know exactly what they’re doing, and just want to circumvent some inconvenience imposed by annoying little things like company security policies. 

Then there are (mostly) older applications whose impact on system performance is arguably worse for productivity than an actual malware infection. Thankfully, there are options these days that offer both improved detection rate and lower impact on system performance. They are also better at resisting the efforts of the frustrated editor who just wants his videos to render a few percent faster, and will happily risk inviting ransomware and/or the wrath of IT to do it.

In order to prevent either accidental or intentional removal, both sides of the security conflict employ a variety of methods to cement their foothold on the Mac. Apple actively enables many of these schemes, either as a result of their own efforts to prevent tampering, or through features built with convenience in mind—either for the user or for software developers. 

In macOS versions prior to 11 (Big Sur), it was relatively easy to install kernel extensions, or kexts, that would run with the same privilege level as the operating system itself. Once installed, not only would these extensions have the run of the place, but they required more than casual effort for a user to remove. Even if you quit an app that leveraged a kext, the extension would remain, along with all of its vulnerabilities or instabilities. Since then, kexts have mostly been sidelined for the more secure system extensions. [ https://support.apple.com/en-us/HT210999 ]

In more recent releases of macOS, it takes special effort to install a kext, or “legacy system extension,” including some daunting warning messages to click through and explicitly setting the system to boot in a reduced security mode.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Daemons in the Details

In the Windows world, there are Startup Services—background tasks that automatically run when the computer boots, or once a user logs in. On the Mac, we have Launch Agents and Launch Daemons. Never mind the archaic spelling and diabolical connotations, as with many strange things underpinning macOS, it comes from UNIX: [ https://en.wikipedia.org/wiki/Daemon_(computing) ]. Daemons are services that run in the background without user interaction, and launch before the user logs into the system. Launch Agents run once the user has logged in, typically at log-in, but can fire up periodically on a set schedule or as a reaction to various state changes.

As part of a persistent installation, software might install a daemon configured to launch at system startup, that can check online for updates, detect modification or removal of its components, and automatically reinstall itself. Plenty of legitimate applications do this to ensure that they are always up-to-date, but it shouldn’t be much of a leap to see how the same mechanisms could make for particularly nasty malware.

There are several other places in macOS where applications can be triggered to launch automatically, and silently, but they are generally under the user’s control. For example, adding something to your Login Items will mean it persists each time you log in, but you don’t need any special authorization to remove it.

It takes time and the knowledge of where to look to search all the various places where programs can hide themselves away. Luckily, there are also tools which can make that process much simpler. The weapon of choice in this regard is Knock Knock, by Patrick Wardle. 

Are You a Good Witch? Or a Bad Witch?

We’ve written before about the Transparency, Consent, and Control (TCC) system that controls which processes can access sensitive data and perform actions on your Mac. Once an application—whether Good or Evil—is able to run consistently and unobserved by the user, what does it have access to? Less than it would with explicitly granted permissions, but still a great deal. 

To be of much use, an EDR or DLP app will need access to users’ files and other data in the filesystem via TCC. It would need Full Disk Access to keep tabs on what’s being read and written, if files are suddenly disappearing or being encrypted by ransomware, for instance.

But consider how much information a cleverly written piece of spyware could gather, even without the ability to break the TCC rules (or trick you into granting it permissions). Who logged in, and when? What applications is the system running? What’s the SSID of your wireless network, and do you use a VPN? And that’s not even accounting for temporary files and other data on the drive that may be poorly secured by other processes.

Even without malicious intent, some software asks for access to data it really doesn’t need. Most of the time, it’s easier to just agree and grant access when the window pops up asking for permissions. But once those permissions are given, rarely, if ever, are they revoked. You may be interested to see just what’s still installed on your Mac that has access to information, such as your location, or your contacts, or photos. It just so happens, the Automation Cookbook contains a script written to read the TCC database, and prints a report of what it finds there. The script and instructions are posted in the Automation Cookbook here: https://me.n-able.com/s/article/Mac-TCC-Permissions-Report

Between this script and Knock Knock, you may find that, yes, your Mac is watching your every move. Hopefully, it’s working for our side.

For more tips on managing Macs, check out the Mac Support section on our blog

© N‑able Solutions ULC e N‑able Technologies Ltd. Tutti i diritti riservati.

Il presente documento viene fornito per puro scopo informativo e i suoi contenuti non vanno considerati come una consulenza legale. N‑able non rilascia alcuna garanzia, esplicita o implicita, né si assume alcuna responsabilità legale per quanto riguarda l’accuratezza, la completezza o l’utilità delle informazioni qui contenute.

N-ABLE, N-CENTRAL e gli altri marchi e loghi di N‑able sono di esclusiva proprietà di N‑able Solutions ULC e N‑able Technologies Ltd. e potrebbero essere marchi di common law, marchi registrati o in attesa di registrazione presso l’Ufficio marchi e brevetti degli Stati Uniti e di altri paesi. Tutti gli altri marchi menzionati qui sono utilizzati esclusivamente a scopi identificativi e sono marchi (o potrebbero essere marchi registrati) delle rispettive aziende.