The Year in Mac Malware 2022 – Intego Mac Podcast Episode 276
          Posted on
           by
          
            Kirk McElhearn          
                  
Apple has updated all its operating systems again, and even issued a security update for iOS 12. We discuss new features in the HomePod software, and we look back at the notable Mac malware of 2022.
- Apple releases Ventura 13.2, iOS 16.3, surprise iOS 12.5.7; neglects still-sold Apple Watch Series 3
- How to protect your Apple ID account with Security Keys on iPhone, iPad, or Mac
- HomePod software update 16.3 now rolling out, here’s everything new
- Signal’s desktop app doesn’t securely store, handle, or validate cached attachments
- Microsoft’s new AI can simulate anyone’s voice with 3 seconds of audio
- The Capture – BBC
- The Capture – Peacock
- The top 20 most notable Mac malware threats of 2022
- About the Web Browser Pop-up Alert Scam
Transcript of the Intego Mac Podcast episode 276
Voice over 0:00
This is the Intego Mac Podcast for Thursday, January 26, 2023.
This week’s Intego Mac Podcast security headlines include a rundown on Apple’s latest operating system updates, a potentially harmful vulnerability on the desktop version of the Signal messaging app could put some message content at risk, and a look back at the top Mac malware stories of 2022. Now, here are the hosts of the Intego Mac Podcast: veteran Mac journalist, Kirk McElhearn. And Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:41
Good morning, Josh, how are you today?
Josh Long 0:43
I’m doing well. How are you, Kirk?
Kirk McElhearn 0:44
I’m doing fine. I think I’ve just finished updating all my devices. Everything was updated this week again, wasn’t it?
The latest Apple operating system updates
Josh Long 0:51
Yeah. You’re talking about the updates that Apple released on Monday this week?
Kirk McElhearn 0:55
Monday, right? Monday. They don’t usually do that.
Josh Long 0:58
Yeah, Monday is kind of a funny day. Because people who are just getting back to work and having to patch all the devices in their organization, it’s kind of a lot of burden to put on IT people on a Monday. But you know, it is what it is.
Kirk McElhearn 1:14
I think the reason they did it on Monday is because they started shipping the new Mac mini on Tuesday. So they wanted people to get them out of the box and have the update available. If they waited till Tuesday, you’d set up a new Mac mini then you’d have an update later in the day, perhaps. So tell us about this week’s updates. What’s new?
Josh Long 1:29
Okay, well, one thing that I think is worth pointing out, because people always want to know this, were there any actively exploited vulnerabilities that were patched? And there were not— not for macOS or for iOS 16. However, surprisingly, Apple released an update for iOS 12, this week, which actually did include a fix for an actively exploited vulnerability that was previously patched in iOS 16.2, back in December.
Kirk McElhearn 1:59
And iOS 12. I mean, the last update for that was when?
Josh Long 2:03
iOS 12 was last updated in August. So August 31, 2022, they released iOS 12.5.6. And that was actually about two weeks before they released iOS 16. So we got some patches for iOS 12. And then patches for iOS 15.7 and 16. Both came on the same day, September 12.
Kirk McElhearn 2:29
This week’s updates have one major new feature. And that’s the ability to use security keys with your Apple ID in order to provide an extra layer of security, we’ll have a discussion of that next week. This is a really, really useful feature. But I don’t recommend that anyone use it. We’ve already discussed that you want to use it. But if you lose your security keys, you get locked out of your account, and Apple cannot let you back in.
Josh Long 2:52
Yeah, that is a little bit scary. So it is something that you’ve got to think about carefully before you decide you want to enable it.
What’s new in the new HomePod software?
Kirk McElhearn 3:00
Okay, the other new update was the HomePod update. And this is important because it’s actually added some interesting features to the HomePod. What’s the temperature in this room?
Siri 3:11
It ranges from 20.5 degrees Celsius to 21.3 degrees Celsius in the office.
Kirk McElhearn 3:17
So in my office, it’s somewhere between 20.5 and 21.3. Now, if I had multiple HomePods, and it was different temperatures, that would make sense. But there’s just one HomePod in my office. Oh, no. Now I understand. See, we were talking about this before the show. The reason why it’s telling me a range is because I have other HomeKit devices that are getting temperatures. So I have a Netatmo weather station and I have a Eve Thermo radiator thermostat. So what it’s telling me is the different temperature ranges for all the devices.
Josh Long 3:48
Now you have a HomePod mini.
Kirk McElhearn 3:50
This is a home pod Mini. This feature is also available on the new HomePod but not the old HomePod. The HomePod mini had this temperature humidity sensor in it. So even if I didn’t have the other devices sending the temperature to the Home app, it would be able to tell me what the temperature is. The HomePod mini had this sensor for like a year, more than a year, but it was never used. And Apple just unlocked it with the new HomePod software. Because the new big HomePod that’s shipping next week has the same sensor.
Josh Long 4:20
Gotcha. So if you have an original HomePod, it’ll be able to tell you the temperature only if you have other devices that are able to communicate that information to it
Kirk McElhearn 4:29
Right. And if not, it’ll be the HomePod itself. Now there’s a few other interesting updates to the HomePod software. You can use Find My on HomePods to ask Siri for the location of friends and family if they’ve shared it with you. Auto Tuning optimizes spoken content such as podcasts for even greater clarity. I don’t like listening to podcasts on a HomePod, I have to use EQ, so this might be better. It has some updated volume controls on the first gen HomePod etc. The big feature is the temperature and humidity. So I was talking with our producer Doug Adams the other day, and he was trying to figure out, why is there a thermometer in my speaker? Why do I care? But the reason is that you can set HomePod routines to trigger when the temperature in the room reaches a certain temperature. And if you don’t have any other devices with thermometers, the HomePod can do that. So let’s say it gets down below 18 degrees centigrade, you want to turn the heat on something like that. And you’ll be able to set this up using the HomePod now.
Josh Long 5:27
Well, I don’t have a HomePod, I do have several Amazon Echo devices, the ones that you can, you know, activate by using the word A L E X A that I’m not going to say out loud. I don’t particularly trust Amazon. The one that we have downstairs in the kitchen, that one I leave muted whenever possible. So if I actively need to check updates, or ask it a question or play music or something, then I’ll unmute it briefly so I can interact with it. But otherwise, I prefer to leave it muted.
Kirk McElhearn 6:01
Do you not have the option of tapping it to turn on Alexa? Sorry, I said the bad word. I have Hey, Siri off on all my devices. And if you tap and hold the HomePod, then the light comes on, and you can make a request the same as when you press a button on your phone or on your watch.
Josh Long 6:19
Oh, I see. So you’re asking can I press or hold a button to activate it? I don’t think so not, at least not on the model that I have. Now I have the original Echo. So maybe some of the newer models have that capability? I don’t know.
What’s this week’s story about Signal?
Kirk McElhearn 6:34
Okay, so last week, we had our secure messaging trifecta with three stories about secure messaging apps that well weren’t that secure, after all. And what do you call four in a row, a hat trick and a third? A quadrecta? A quadrilogy. What’s this week’s story about Signal?
Josh Long 6:54
So last week, remember, we talked about Threema, and how there were some vulnerabilities that were found. And they don’t actually really apply anymore if you have the latest version of Threema. They’re using newer technology now anyway, so basically, most of that research, a good portion of it, was moot. So this week, we have a story about Signal, and in particular Signal desktop, this is the software that you can run on your Mac, Windows, or Linux PC. It lets you get all the messages that you can get in the Signal app on your mobile device. The problems that were discovered by this security researcher all revolve around caching that the Signal desktop app does with attachments that are sent to you. So if somebody sends you an attachment, it’s downloaded and saved to a cache folder unencrypted on your computer. And so that might already make you a little bit uneasy. If you have things that are being sent to you securely, they’re not actually being stored securely on your computer. But the bigger issue is that if somebody has physical access to your computer, which you know, that’s a big if, then they can maliciously modify those files. And then if you, in the Signal app, go to forward that document to somebody else, you’re actually going to be forwarding them the maliciously modified document and not the original that was sent to you. So there’s some related vulnerabilities there. Is it really a big deal? Well, I don’t personally know anybody who uses Signal for desktop anyway. But if you do, it’s something to be aware of. And it’s very likely that they’ll release an update in the near future that will validate that these cached files haven’t changed before allowing them to be forwarded.
Kirk McElhearn 8:48
But still physical access, someone has to sit down in front of your computer. And if you’re worried about your text messages, and you’re using Signal, you’re unlikely to be the kind of person who leaves your computer on when you go to lunch.
Josh Long 9:00
Exactly, right. You know, we’ve said before and it’s worth repeating, you know, if you get physical access to a device, if a bad guy gets physical access, all bets are off, they can basically do anything that they want. So don’t let bad guys you know, sit down at your computer.
Microsoft announced that they have a way to simulate anyone’s voice with only three seconds of audio
Kirk McElhearn 9:17
Okay, we haven’t talked a lot about AI recently, but we’ve talked about deepfakes in the past. A couple of weeks ago, Microsoft announced that they have a way that they can simulate anyone’s voice with only three seconds of audio. We’ll link to an article in Ars Technica that says “Text to speech model can preserve speaker’s emotional tone and acoustic environment.” So the surroundings of a room, and that’s really important because if you’re synthesizing speech and inserting it in speech, you have to make it sound the same. If I am talking this close to my microphone, and then I move back a couple of feet you can hear it’s different. So the surrounding audio makes a difference. Three seconds is all they need. I find this impressive. Now, you need to know how they came up with this model. You may have heard of Librivox, which is a public domain audiobook system, you can read an audiobook of any public domain book and put it up on the web with Librivox. And Microsoft used an audio library that Meta, that is Facebook, put together using 60,000 hours of English language speech from more than 7,000 speakers. Important to know that when you donate something to the public domain like that it can be used by companies to make money. This is what Adobe’s done with photos to train its AI, this is what a lot of AI has done. This is what happens when you click on a captcha and you click on all the stop lights, right? Because you’re training Google’s software for potential smart cars. In any case, it’s really worrisome that in with a three-second audio sample that they can make fake audio. And like Josh, how do you even know that this is me speaking? Right?
Josh Long 10:57
Well, okay, probably because, first of all, we’re doing this over Zoom so I can see you and someone would also be having to deepfake your face, in addition to deep faking your voice. And that would be pretty hard to do and do it convincingly for a whole conversation.
Kirk McElhearn 11:16
Fair point. there’s an interesting TV series, it’s on the BBC, there’s been two seasons, it’s called The Capture, and it’s all about deep fakes. I think it’s on Peacock in the US, you should really check it out. Because while not all of this is doable today, it’s very close to being doable. This is something that we particularly have to worry about in terms of, you know, you get these phone calls, “I am calling you from Bitcoin technical support,” right? And some funny accent in a noisy place. What if that phone call actually sounds like someone from your bank, or “Hi, I’m calling from Apple, you know, have a nice day.” And it’s gonna be a lot more difficult to, to see through the attempts to trick us with social engineering with this sort of stuff.
Josh Long 12:00
Right? And that’s why we bring up these kinds of stories. You know, anytime that we’re learning about new deepfake technology, or advancements in deepfakes, it’s really something that people just need to be aware of. Right? You can’t necessarily trust you know, every video you see if somebody’s speaking, there’s tons of examples of deepfakes that amateurs have put together that are available all over YouTube, and it’s pretty impressive honestly, some of this technology. Even being able to look at a scene that you’ve seen many times from a movie like Back to the Future and see, you know, Robert Downey Jr. put into that scene. It’s kind of mind blowing how good some of this technology has really gotten. And, and the same thing can be done with audio as well. It’s not just faces that can change.
Kirk McElhearn 12:47
Robert Downey Jr. wasn’t in that movie?
Josh Long 12:50
Contrary to popular belief, Robert Downey Jr. and Tom Holland were actually not in Back to the Future.
Kirk McElhearn 12:57
Okay, Tom Holland probably wasn’t alive back then. Okay, we’re gonna take a break. When we come back, we’re going to talk about the year in Apple malware 2022.
Voice over 13:08
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego Mac Premium Bundle X9 includes VirusBarrier, the world’s best Mac anti-malware protection, NetBarrier, powerful inbound and outbound firewall security, Personal Backup, to keep your important files safe from ransomware, and much more to help protect, secure, and organize your Mac. Best of all, it’s compatible with macOS Ventura and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today, when you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode show notes at podcast.intego.com. That’s podcast.intego.com, and click on this episode to find the special discount link exclusively for Intego Mac podcast listeners. Intego: world-class protection and utility software for Mac users, made by the Mac security experts.
The Year in Apple Malware 2022
Kirk McElhearn 14:25
In two episodes this month, we looked at the year in Apple privacy and security and now we’re going to look at the year in Mac malware. And in 2022 we had a fair amount of malware. I can remember going years back we’d have three or four different bits of malware and now we got something every month. So where do we start?
Josh Long 14:44
Well, I think we should definitely start with January. There were a couple of big stories about SYSJoker and DazzleSpy was another one. Both of these were published very close to the beginning of January 2022. And I suspect that it was because these security companies wanted to be the first to publish about some new malware, the first malware of 2022 for the Mac, right? DazzleSpy, while technically being a new name, it was a variant of some existing malware that had been called MACMA or CDDS. And some of the interesting things about it is that it has the hallmarks of a state sponsored cyber espionage campaign. And so that kind of, of course, makes it a little bit interesting. It’s not every day you get state sponsored malware that you get to analyze and talk about.
State-Sponsored Malware
Kirk McElhearn 15:31
So yeah, state sponsored cyber espionage campaign. That sounds a lot like Pegasus that spyware that we’ve been talking about for a few years.
Josh Long 15:37
Yeah, exactly. Pegasus was an example of malware that’s primarily thought of as mobile malware, right, it targets iOS and Android devices. But there’s actually lots of state sponsored malware on the Mac as well. There has been over the past several years, there’s various threat actors, and they have had various campaigns with different malware families over the years. And in 2022 was no exception. The other one that was big in January was SysJoker. This was kind of interesting, because it’s cross platform malware, it was a backdoor that could infect Mac, Windows and Linux, obviously. So there were different variants of it that that could infect the different platforms.
Kirk McElhearn 16:20
Do we see that often this sort of cross platform malware?
Josh Long 16:24
It’s more common than I think a lot of people realize. If somebody wants to infect lots and lots of computers, and if they don’t particularly care what platforms the infected users might have, then they’ll make malware that works across a variety of operating systems. So maybe they they want to exfiltrate files from anybody, regardless of whether they happen to be using a Mac or Windows or Linux PC or whatever. They just want to steal files from you, or they want to spy on you, or whatever it is that they’re trying to do with this backdoor malware.
Kirk McElhearn 16:57
Isn’t it difficult though, to write malware for multiple platforms? I can understand maybe macOS and Linux because they all have a similar base. But Windows is very different.
ChatGPT and malware
Josh Long 17:06
Well, there’s certainly a lot of shared code actually. Kind of interestingly, we talked about ChatGPT recently, and how bad guys can actually use ChatGPT to port code from one language to another. So it’s, it’s not as difficult as you might imagine, to make code that works across multiple platforms.
Kirk McElhearn 17:26
AI is going to destroy us. I’ve seen all the movies, I’ve seen what happens.
Josh Long 17:33
It’s something that we have to be very careful about. And ChatGPT is supposed to be designed to not be usable for malicious purposes. But of course, there’s always ways to find the crack in the armor and make artificial intelligence do something that it’s not designed to do. Okay, what’s next? February 2022, we saw some new coin miner malware. Also, this was when the whole Russia-Ukraine conflict really began. And so as a precursor to that there were malware campaigns that were wiper malware that was deployed against targets in Ukraine. HermeticWiper was one example of that. And there were other similar bits of malware that came out as well after that now that wasn’t particularly Mac focused. But because this was such a big deal, and in the news, we did write about this on the Mac Security Blog as well. And we’ll have a link to that article in the in the 2022 Malware Review. Okay, so what else can we look at? GIMMICK was another one that made headlines. This was another multi-platform, fully-featured malware. It leveraged cloud providers, could be used for command and control. So basically another backdoor, another cross platform, backdoor.CrateDepression was interesting. This was spread through typosquatting attacks. Typosquatting is the kind of thing where the bad guys will register domains that are very similar and could easily be typoed if you’re just typing into the address bar in a browser. And so CrateDepression was something that you could get infected by if you typoed a particular domain, in a particular way, you will get this malware installed on your computer.
Typosquatting
Kirk McElhearn 19:17
Typosquatting is interesting. A lot of businesses register domains that are similar to theirs in order to prevent this from happening. So Apple owns A P P L L E dot com. They own A P L E dot com. They don’t own A P P P L E dot com.
Josh Long 19:33
Yeah, so don’t go there.
Fake App Store pages on the web
Kirk McElhearn 19:36
So in September, I stumbled upon some fake app store pages that were hosting malware.
Josh Long 19:43
That’s right. Yeah. This is something that I had started to notice as well, kind of around that time where if you happen to search for a particular piece of Mac software, and it doesn’t matter really what search engine you’re using, but of course most people are using Google. And this does happen with Google. Sometimes some of the results that rank very highly in Google search results will actually be malware pages, though, they’ll appear to be pages where you can download that software. Now, Apple has actual pages on apple.com, for all of these different apps that actually do exist in the in the App Store, whether it’s Mac App Store, iOS App Store, whatever. But what these bad guys are doing is they’re making pages that look kind of similar to those official App Store placeholder pages from apple.com. They’re hosting them on different domains, but they look similar enough that they could trick people into downloading malware from those pages. On the official Apple pages, they link you to that page in the official App Store App. Whereas on these malicious pages, they’ll just give you a download directly from that page that can infect your computer,
Kirk McElhearn 21:02
Right. If you’re searching for a specific Mac app, you might come up with a page that says the name of the app on the Mac App Store. When you look at the page, it’s got the Apple header, it’s got Apple’s typography, and below the name of the app and the price is a button says View on Mac App Store. Now if you’re in Safari, loading that page is immediately going to open the Mac App Store. In other browsers that might not happen. But you will see pages that look like this when you’re searching for Mac software.
Josh Long 21:28
Right. And we have screenshots in that article. Again, you can find links to all of these articles within the year in review article that we’ll have in the show notes.
Kirk McElhearn 21:37
Okay, what about Alchemist in October? That was a pretty big one, wasn’t it?
Josh Long 21:42
Yeah, this was another one that made a lot of headlines, Alchimist, which, of course is misspelled a little bit. But Alchimist was the name of this malware framework that can be used to infect and remotely control, again, cross-platform, Mac OS, Linux and Windows computers. And it’s believed that it was used in the wild, there was some malware that was evidently made with this framework called Insekt which also, again, is misspelled insect with a K. And it’s believed that this malware was probably used in the wild.
Browser pop-up scam alerts
Kirk McElhearn 22:17
Okay, this isn’t entirely malware. But you remember back in the day, we used to get all these Flash Player fake alerts that would come up in the browser, and you got to update your Flash Player. Well, there’s a number of fake alert browser pop-ups that have been spreading. “Safari, alert. Suspicious activity might have been detected.” “Major security issue. To fix it, please call support for Apple,” et cetera, et cetera.
Josh Long 22:38
Yeah, we have a page on the Intego support site that has a couple of screenshots of some examples of these. And basically what it is, is you navigate to a page, maybe you clicked on a on a search result in Google, maybe you maybe you put a typo in your address bar, and so you accidentally went to the wrong site. But often what will happen is you’ll get a page that starts to load, and then it immediately pops up something that warns you that there’s supposedly an infection on on your computer. Interestingly, as we were recording this and talking about typosquatting, our producer, Doug, came across one of these sites by accident, and it started speaking text out loud to him. And we could all hear it on our Zoom call, which is kind of fun. Well, fun from a security research perspective. But definitely this would be scary as heck if you’re not expecting something like this to happen. And so in October, we had so many calls in our support center, that we actually created a page on our support site, directly addressing this, so that we could refer people who are calling to this page and see exactly how to deal with it. And that it’s not actually malware, it’s not, it’s not that your computer’s really infected, you just happen to browse to a malicious site that’s trying to scam you. Frequently, there will be like a phone number or something that they’ll give you. And it’s one of those tech support scam things where they want you to call up this phone number. And then they convince you that you’ve got malware, and they encourage you to initiate this remote control session. So you’re giving them control over your computer. And then of course, they can do all sorts of bad things once they actually have access to your computer.
Kirk McElhearn 24:26
Have you had to use Apple support in any recent months or years? You’re not a support person are you? I end up with these intractable problems, and I call Apple support. And they have a very nifty remote viewing system that’s built into Mac OS and iOS and iPad OS. They’ll tell you, okay, I’m going to initiate a session to your Apple ID and you get a little notification and you accept and then you see a screen about that might be recorded cetera, and they can look at what you’re doing and they can move a arrow cursor around. And a couple years ago, they started being able to do this on the iPhone and the iPad, which is great because, when you’ve got a problem, and you’re explaining it, and it’s hard to explain, they can see what it is. Now Apple can do this with your permission. But when other companies do this, it’s not the same. So if you are talking to Apple support, you may see this and it’s a little sort of standard notification. The thing that you’re seeing here is just a normal dialog in Safari. There is no way a normal dialog would display a phone number, or talk about the FBI or say your browser has been blocked. That just doesn’t happen.
Josh Long 25:31
Right. Not unless it’s a scam. So good to be aware of. Theoretically, these pages could lead to malware as well, they could try to convince you to download some malware. So far, we’ve been primarily seeing these types of pages, trying to get you to call a fake support center and get fake assistance for your fake problem.
Kirk McElhearn 25:52
Okay, that’s enough for this week. Next week, we’re going to talk about security keys to protect your Apple ID. Until next week, Josh, stay secure. All right, stay secure.
Voice over 26:01
Thanks for listening to the Intego Mac Podcast, the voice of Mac security, with your hosts Kirk McElhearn and Josh long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.
If you like the Intego Mac Podcast podcast, be sure to rate and review it on Apple Podcasts.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
