New back-to-front Mac malware records audio and grabs screenshots on infected computers

The researchers at F-Secure have blogged today about an interesting new sample of Mac malware, that they have dubbed “Backdoor:Python/Janicab.A”.

Janicab download. Image courtesy of F-Secure

The malware is interesting for a couple of reasons:

Firstly, it has been signed with an Apple Developer ID.

Sign up to our free newsletter.
Security news, advice, and tips.

XKCD comic about U+202eSecondly, it takes advantage of the sneaky Unicode U+220E marker to do a right-to-left override of part of the malware’s filename.

What’s that? You don’t know about U+220E?

Consider this sentence:

"Graham Cluley Security News"

Now, here is how it would look if a Unicode U+220E marker was sneakily inserted invisibly just before the capital “S” of “Security”:

"Graham Cluley Security News"

Try copy-and-pasting the text above if you want to witness the weirdness for yourself.

As F-Secure explains, Janicab – which is written in Python – takes advantage of the right-to-left (RTL) U+220E Unicode character to mask the malicious file’s true extension.

In this way, a file apparently called RecentNews.ppa.pdf is really RecentNews.fdp.app

Hex dump of Janicab malware. Image courtesy of F-Secure

You may think you are opening a .PDF file, but in reality it’s an executable .APP. To maintain the subterfuge, the malware displays a decoy document while the malware silently installs unauthorised code onto your computer.

Bidirectional text spoofing like this has been known about for some time, but may still be a surprise to many computer users.

The final point of interest about Janicab is, of course, why was it written?

What we know is that Janicab can grab screenshots and record audio via your computer, without you realising, using the third-party command line utility Sox.

Python code and Sox. Image courtesy of F-Secure

It seems plausible, therefore, to believe that Janicab was created to spy on others – something that has become increasingly common with malware in recent years.

According to VirusTotal, detection by most anti-virus products may not be in place yet. However, F-Secure says that it detects the malware as Backdoor:Python/Janicab.A and Trend Micro and Sophos appear to detect it as TROJ_GEN.F47V0712 and Mal/BredZpRTL-A respectively.

You can read more about the malware in F-Secure’s blog.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

One comment on “New back-to-front Mac malware records audio and grabs screenshots on infected computers”

  1. j.

    a similar use of the RTL unicode char was used to get malware hosted on Google Drive in April.
    http://techhelplist.com/index.php/spam-list/549-swift-transfer-confirmation-google-docs-malware

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.