FruitFly is a malicious software (malware) that was discovered to have the ability to capture screenshots and webcam images, as well as gather information about devices connected to the same network. It could then connect to these devices, providing remote attackers with the capability to generate both simulated mouse and keyboard events. The malware persisted through a launch agent and its main component was identified as /Users/user/.client. Using tools such as KnockKnock, it was possible to reveal FruitFly's persistent component, further referred to as OSX/FruitFly.B's 'fpsaud'. FruitFly also included several powerful capabilities including file exfiltration, screen capture, execution of arbitrary commands, and remote access to the webcam and microphone.
The infection of machines with FruitFly occurred via brute force attacks, often exploiting weak passwords or passwords from breaches of other systems. An initial investigation into the FruitFly malware revealed that some of its code was extremely old. On January 10, 2017, Malwarebytes became aware of the Mac version of the malware, which would later be known as FruitFly. This discovery was shared with Apple, who were already working with the FBI on an ongoing investigation into the malware.
On January 25, 2017, an individual named Durachinsky was arrested for involvement with the FruitFly malware. In response to the threat posed by FruitFly, Apple released a security update to protect users against it. Additionally, Malwarebytes published a blog post with technical details about the malware. The FBI also took action, knocking on the door of the house linked to the IP address used by the malware, as documented in an FBI Flash document released to affected organizations on March 27, 2017.
Description last updated: 2024-10-15T09:29:34.425Z