How to protect your Mac from malware including Keydnap and Backdoor.MAC.Eleanor

While you should always be vigilant against malware regardless of your device or operating system, MacBook users recently got a reminder about the importance of security, with the discovery of two new examples of macOS malware: Backdoor.MAC.Eleanor and OSX/Keydnap.

Thankfully, two new pieces of Mac malware in a week isn’t something that happens often, but it never hurts to brush up on your security skills!

In this article I’ll share some tips on how to keep your Mac safe from the Eleanor and OSX/Keydnap malware, plus some general security tips to prevent all forms of malicious software from infecting your MacBook.

Mac malware: What do you need to know?

Even though the term ‘malware’ is often used interchangeably with “virus,” they are two different things. Instead of infecting your machine without your knowledge (like a virus), malware attempts to trick you into installing it, by disguising itself as legitimate software. Often, malware actually pretends to be software that helps protect your MacBook against malware! Then, once the malware is installed it tries to gather information about you including your credit card and banking details.  

macOS does have plenty of built-in security features that can help protect you from most known malware – plus, Apple are pretty good at issuing security updates as new malware is discovered. But don’t let this lull you into a false sense of security! No operating system is  immune to malware. There’s a whole world of security threats out there, and reports of Mac malware seem to be getting more frequent.

So how do I keep my Mac secure?

Let’s look at the two new examples of Mac malware. Eleanor is a backdoor program, also known as a Trojan horse. Once installed, Eleanor allows attackers to perform all sorts of nefarious deeds, including executing commands and scripts; editing, deleting and stealing your files – and even snapping photos of you via your webcam!   

In true malware style, Eleanor is distributed under the guise of useful software – in particular, a program known as  ‘EasyDoc Converter.’

While it’s currently unknown exactly how Keydnap arrives on your computer, it takes the form of a ZIP file that you first have to extract, and then install. At this point, Keydnap downloads and install the backdoor component (icloudsyncd), which attempts to gain root access to your MacBook in a particularly sneaky way – it waits until you try to launch a different application and then spawns a window asking for your credentials, in exactly the same way a legitimate app would request admin privileges.

As you’ve probably already noticed, there’s a pattern here. Eleanor and Keydnap, just like all malware, relies on you actively downloading and running it, so one of the most effective ways of keeping your laptop secure is also the easiest: be careful about what you download!

Apple are very strict about the apps they can be distributed through their App Store, which is sometimes bad news for developers, but also helps to keep MacBook users safe. If you want to download a new app, then the App Store should be your first port of call, as there have been very few reported instances of the App Store distributing malware.

If the app you have in mind isn’t available through the App Store, then make sure you download it from a reputable source.

The most reputable source is always the app’s official website, or the website of the developer or company who created the app. Although there are many third party download sites out there, it’s not usual for these websites to wrap legitimate software inside of installers that contain adware, trialware, unwanted apps or, in the worst case scenario, malware.  

If you’re tempted to download an app from a third party website, ask yourself: what’s in it for the developer? Why would someone who put so much effort into creating an app, make it available for free through an external website? Best case scenario, the program is being offered without the developer’s permission (which is unfair anyway) but worst case scenario, the third party has ulterior motives in trying to tempt you into downloading the program through their website, and not via the official channel.

If you’re unsure, then always go with your gut – if it feels wrong, or too good to be true (for example, maybe a website is offering proprietary software for free) then chances are it is wrong. Play it safe and find an alternative place to download your app.

Also be wary of simply entering an application’s name into a search engine and clicking the first link that appears. Just because a website appears high in Google’s search results, doesn’t automatically mean that it’s legitimate. Many third party websites are search engine optimisation (SEO) savvy, and know exactly how to score a top spot in Google’s search results.

But let’s imagine you’ve been tricked into downloading a dodgy file. The good news is that you still need to actively run and install this file, which means you have another chance to spot the malware for exactly what it is – so what are the warning signs you should be looking for?

Spotting Malicious Files

Anyone can get unique Developer ID from Apple and then use this to digitally sign their apps, but many malicious apps (including Eleanor and Keydnap) aren’t digitally signed by a valid Apple developer certificate.

Although you won’t notice any difference when you download an unsigned app, when you try to install it macOS will warn you that this app is from an unsigned developer. This is another opportunity for you to consider whether this app might actually be malware.

Statistically speaking, unsigned apps are more likely to be malicious than signed software, so if you’re unsure about an unsigned app then it’s always best to delete it and search for an alternative download – or even better, an alternative app that’s available through the App Store.

While you should always look at unknown packages with a suspicious eye, it’s important to note that just because an application is unsigned, doesn’t automatically make it malware – some developers simply choose not to digitally sign their applications.

If you do decide to go ahead and install an unsigned app, you’ll need to right-click the downloaded file, select ‘Open’ and then confirm that you want to launch the app.

How else can I prevent my MacBook from becoming infected?

Here’s some additional tips and tricks you should bear in mind, to help ensure your MacBook remains malware-free:

  • Ensure that your operating system is always up to date

As already mentioned, Apple are pretty good about issuing security updates, so one of the best ways to keep your Mac secure is to make sure you’re running the latest version of macOS. To check whether an update is available, open the App Store, select ‘Updates’ and look for any ‘Software Updates.’

software updates

You may also want to turn on automatic updates, by opening your MacBook’s ‘System preferences…’ and selecting ‘App Store.’ Make sure ‘Automatically check for updates’ is selected, and then select ‘Install macOS Updates’ and ‘Install system data and security updates.’

automatically check for updates

  • Don’t be hooked by phishing scams

Another common trick for infecting your MacBook with malicious software, is to redirect from from a legitimate website, to a fake website that pretends to scan your laptop and then informs you that it’s detected a computer virus or other malicious software. You’ll then be offered the software you need to fix this exact problem (convenient).

If you install this software, it’ll periodically pretend to scan your Mac, finding problems each time, and prompting you to enter more and more of your personal information in order to fix these problems – perhaps even outright requesting you to enter your credit card details.

While there’s no definitive list of malware that follows this pattern, some known offenders are MacDefender, MacProtector and MacSecurity.

So, if you find yourself suddenly redirected to a website that claims your MacBook is infected, then you should immediately close your browser. If your browser refuses to close, then you can trigger a force quit by clicking the Apple logo in the menu bar, followed by ‘Force Quit.’

force quit

Select your browser from the list of running apps and give the ‘Force Quit’ button a click.

Depending on the malware you’ve stumbled across, your browser might automatically download the malware’s installer, so it’s always worth checking your MacBook’s ‘Downloads’ folder. If you spot anything unusual, then drag it to the Trash can and immediately take out the trash.

  • Beware of offline malware

Malware isn’t just an online phenomenon! Increasingly, scammers are branching out and actually calling people, claiming to be from a security-conscious organisation who’s spotted malware on your computer. At this point, they offer to remove said malware – for a price.

If this happens to you, then put the phone down. No respectable company is going to ring you out of the blue requesting your credit card details in return for removing malware!

Before you go

After spending over 20 years working with Macs, both old and new, theres a tool I think would be useful to every Mac owner who is experiencing performance issues.

CleanMyMac is highest rated all-round cleaning app for the Mac, it can quickly diagnose and solve a whole plethora of common (but sometimes tedious to fix) issues at the click of a button. It also just happens to resolve many of the issues covered in the speed up section of this site, so Download CleanMyMac to get your Mac back up to speed today.


About the author

Jessica Thornsby

Jessica Thornsby is a technical writer based in Sheffield. She writes about Android, Java, Kotlin and all things Apple. She is the co-author of O'Reilly's "iWork: The Missing Manual," and the author of "Android UI Design," from Packt Publishing.

1 Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • I pretty much lock my iMac and Macbook down, so that it’s tough for me to install anything that isn’t from the app store, but I’ve had no issues with malware, so that’s a plus. I will say that your advice to just hang up is the best possible too. I had one of those companies call, saying they had “detected a malicious program on my Windows 7 PC, and it must be removed right away.” I calmly said I didn’t own any PC, and did not have Windows installed on any Mac I own, only to be yelled at and berated for “not caring that I was going to spread a virus.” I demanded a supervisor, and had to threaten to sue for them to remove my name. I still blocked their number, so be ready to either hang up, or have the caller who “wants to help you” start yelling and calling you names for not giving them money.