New back-to-front Mac malware records audio and grabs screenshots on infected computers

The researchers at F-Secure have blogged today about an interesting new sample of Mac malware, that they have dubbed “Backdoor:Python/Janicab.A”.

The malware is interesting for a couple of reasons:

Firstly, it has been signed with an Apple Developer ID.

Sign up to our newsletter
Security news, advice, and tips.

Secondly, it takes advantage of the sneaky Unicode U+220E marker to do a right-to-left override of part of the malware’s filename.

What’s that? You don’t know about U+220E?

Consider this sentence:

"Graham Cluley Security News"

Now, here is how it would look if a Unicode U+220E marker was sneakily inserted invisibly just before the capital “S” of “Security”:

"Graham Cluley Security News"

Try copy-and-pasting the text above if you want to witness the weirdness for yourself.

As F-Secure explains, Janicab – which is written in Python – takes advantage of the right-to-left (RTL) U+220E Unicode character to mask the malicious file’s true extension.

In this way, a file apparently called RecentNews.ppa.pdf is really RecentNews.fdp.app

You may think you are opening a .PDF file, but in reality it’s an executable .APP. To maintain the subterfuge, the malware displays a decoy document while the malware silently installs unauthorised code onto your computer.

Bidirectional text spoofing like this has been known about for some time, but may still be a surprise to many computer users.

The final point of interest about Janicab is, of course, why was it written?

What we know is that Janicab can grab screenshots and record audio via your computer, without you realising, using the third-party command line utility Sox.

It seems plausible, therefore, to believe that Janicab was created to spy on others – something that has become increasingly common with malware in recent years.

According to VirusTotal, detection by most anti-virus products may not be in place yet. However, F-Secure says that it detects the malware as Backdoor:Python/Janicab.A and Trend Micro and Sophos appear to detect it as TROJ_GEN.F47V0712 and Mal/BredZpRTL-A respectively.

You can read more about the malware in F-Secure’s blog.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.