Attack Allows OS X Malware To Piggyback On Your Webcam

Share This:


Security researcher Patrick Wardle of Synack has discovered a new potential use of malware that targets the use of the Mac OS X webcam. This new attack allows OS X malware to record video and audio whenever a victim legitimately turns on their webcam, without drawing attention to itself. As you can see in the image above, when a user initiates their webcam, a light turns on to let them know their webcam is on. This new malware attack would detect when the victim turns on their webcam, then piggybacks on the webcam stream, allowing them to capture video and audio without the user knowing. As soon as the user ends the webcam session, the malware disconnects from the webcam as well.

Macs aren’t immune to malware attacks, malware such as OSX/Eleanor, OSX/Crisis, OSX/Mokes, etc, all attempt to spy on OS X users.

As Wardle is explaining at the explaining at the Virus Bulletin 2016 conference in Denver, Colorado, this week:

After examining various ‘webcam-aware’ OS X malware samples, the research will show a new ‘attack’ that would allow such malware to stealthily monitor the system for legitimate user-initiated video sessions, then surreptitious piggyback into this in order to covertly record the session. As there are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection.


To detect the webcam session, the malware enumerates the camera and registers for notifications. Once it receives a notification that the camera is turned on, it begins recording. It then turns off once the session has ended. Some people utilize webcam covers to prevent unauthorized users from spying on their webcam. In this scenario, the user would remove that cover so that they could use their webcam.

Wardle has developed OverSight, a new free tool that protects against piggybacking OS X webcam attacks.


Whenever a program activates the internal mic or accesses the webcam, OverSight displays an alert (seen above). A user can then choose to allow or block the program.

Share This:


Leave a Comment