New back-to-front Mac malware records audio and grabs screenshots on infected computers


The researchers at F-Secure have blogged today about an interesting new sample of Mac malware, that they have dubbed “Backdoor:Python/Janicab.A”.

Janicab download. Image courtesy of F-Secure

The malware is interesting for a couple of reasons:

Firstly, it has been signed with an Apple Developer ID.

XKCD comic about U+202eSecondly, it takes advantage of the sneaky Unicode U+220E marker to do a right-to-left override of part of the malware’s filename.

What’s that? You don’t know about U+220E?

Consider this sentence:

"Graham Cluley Security News"

Now, here is how it would look if a Unicode U+220E marker was sneakily inserted invisibly just before the capital “S” of “Security”:

"Graham Cluley Security News"

Try copy-and-pasting the text above if you want to witness the weirdness for yourself.

As F-Secure explains, Janicab - which is written in Python - takes advantage of the right-to-left (RTL) U+220E Unicode character to mask the malicious file’s true extension.

In this way, a file apparently called RecentNews.ppa.pdf is really

Hex dump of Janicab malware. Image courtesy of F-Secure

You may think you are opening a .PDF file, but in reality it’s an executable .APP. To maintain the subterfuge, the malware displays a decoy document while the malware silently installs unauthorised code onto your computer.

Bidirectional text spoofing like this has been known about for some time, but may still be a surprise to many computer users.

The final point of interest about Janicab is, of course, why was it written?

What we know is that Janicab can grab screenshots and record audio via your computer, without you realising, using the third-party command line utility Sox.

Python code and Sox. Image courtesy of F-Secure

It seems plausible, therefore, to believe that Janicab was created to spy on others - something that has become increasingly common with malware in recent years.

According to VirusTotal, detection by most anti-virus products may not be in place yet. However, F-Secure says that it detects the malware as Backdoor:Python/Janicab.A and Trend Micro and Sophos appear to detect it as TROJ_GEN.F47V0712 and Mal/BredZpRTL-A respectively.

You can read more about the malware in F-Secure’s blog.

Tags: , , , , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , , , , ,

One Response

  1. j.

    May 19, 2014 at 7:28 pm #

    a similar use of the RTL unicode char was used to get malware hosted on Google Drive in April.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.