Skip to content
Naked Security Naked Security

Man charged with spying on thousands of Mac users for 13 years

The technical description of the “Fruitfly” malware is spyware - but perhaps the term creepware would be more appropriate.

The technical description of the “Fruitfly” malware is “spyware.” But given the way it has allegedly been used, a better label would be creepware – creepware that should have easily been detected, but somehow stayed under the radar for more than a decade.
According to a 16-count indictment unsealed on Wednesday in US District Court for the Northern District of Ohio, its creator, Phillip R. Durachinsky, 28, used it to spy on thousands of victims for more than 13 years. Durachinsky spent this time not only collecting personal data but also watching and listening to victims through their webcams and microphones, and using some of what he collected to produce child abuse imagery.
Durachinsky, of North Royalton, Ohio, was charged with Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child abuse imagery, and aggravated identity theft, according to a Department of Justice (DoJ) press release.
The victims ranged from individuals to companies, schools, a police department and government entities including one owned by a subsidiary of the US Department of Energy.
According to the DoJ:

(It) enabled him to control each computer by accessing stored data, uploading files, taking and downloading screenshots, logging a user’s keystrokes, and turning on the camera and microphone to surreptitiously record images and audio.
(He) used the malware to steal the personal data of victims, including their logon credentials, tax records, medical records, photographs, banking records, internet searches, and potentially embarrassing communications.

The indictment charges that while Durachinsky primarily used Fruitfly to infect Macs, he also wrote variants of Fruitfly that were capable of infecting computers running Windows.
It said he saved millions of images, kept detailed notes on what he observed, and designed it to alert him if a user typed words associated with pornography.
Besides the creep factor, a stunning thing about Fruitfly is that it is both unsophisticated and relatively easy to spot, yet according to the DoJ, Durachinsky was able to use it undetected from 2003 until January 2017, when he was arrested and jailed on another charge. He remains in custody.


Forbes reported that Durachinsky was charged a year ago with hacking into computers at Case Western Reserve University (CWRU), which had reported to the FBI that 100 of its computers were infected. The FBI found that they had been infected for “several years” and that the same malware had infected other universities.
But apparently that arrest was not connected to Fruitfly, even though this was when the spyware was discovered.
Six months later, Forbes reported that Patrick Wardle, a former National Security Agency analyst and now a researcher specializing in Mac malware, found a new version of Fruitfly, decrypted the names of several backup domains hardcoded into the malware and found the addresses remained available.
Within two days of registering one of them, almost 400 infected Macs connected to his server, mostly from homes in the US. He then gave his findings to law enforcement, which may have provided the evidence used to bring this week’s indictment.
So far, it is not clear how Fruitfly infects computers, but since there is no evidence it exploited vulnerabilities, it likely gained access by tricking victims into clicking on malicious Web links or email attachments.
Wardle told Forbes that it was clear that surveillance was the primary purpose of Fruitfly.

This didn’t look like cybercrime type behaviour, there were no ads, no keyloggers, or ransomware. Its features had looked like they were actions that would support interactivity: it had the ability to alert the attacker when users were active on the computer, it could simulate mouse clicks and keyboard events.

And, he said there were signs it had been around for years, since the code included comments about updates for Mac OS X Yosemite, first released in 2014, indicating that it had been running well before that.
Within this week’s complaint, prosecutors also asked the court to order that Durachinsky forfeit any property he derived from his 13-year campaign, an indication that they allege he sold the images and data he acquired to others.
The DoJ didn’t say whether Durachinsky had entered a plea, but included the standard disclaimer in its press release:

The charges in the indictment are merely allegations, and the defendant is presumed innocent unless proven guilty beyond a reasonable doubt in a court of law.

Sophos detects Fruitfly as OSX/Bckdr-RUA and Troj/Bckdr-RUC.

14 Comments

What’s happened to today’s youth? When I was, 15, all I wanted was to play Zork.
Well, not really all…

And I bet the Sophos website was the first place you visited when you got the internet. Well, the second anyway…

My point being, he did this when he was 15.
*Of course that’s not so difficult to believe*
Spying on people, is an everyday occurrence with governments. Imagine if this kid/guy was really nefarious in his thinking, for that length of time…

I would argue that reason the malware went undetected for so long is because Mac users have long believed that they don’t need malware protection and that it’s a Microsoft Windows problem. Thus, there was likely nothing to inform them of its existence on their computers.

I think you may be right – our product detects various Fruitfly variants, for example, so you’d like to think that our users wouldn’t have been infected in the first place…but the people who didn’t get infected (for whatever reason) don’t make it into this story.
A lot of Mac users still seem to think that malware can’t infect you without producing an obvious giveaway such as popping up an “enter your admin password” prompt. These users back themselves to spot any malware incursions (admittedly unlikely, compared to Windows) every time.
Therefore they assume that anti-virus software is nothing but a belt to go with the braces they already have in the form of their own vigilance.
But [a] it only takes one misjudgment [b] most Mac malware doesn’t need admin privileges anyway and [c] many legitimate programs ask you for your admin password every time they update (e.g. Flash, Java), so a password prompt is hardly unusual.

I must place myself in the category of those who just luckily I guess understood from many years ago that no matter if I’m on my Mac or Windows machine threats would always be present, although my older brother has been a Mac user from his beginning day of using computers (many years ago) and stressed over and over that Macs were not and forseeably never will be invulnerable…BUT my original comment will be to say I (like many others) do all I learn of to protect myself while feeling it’s only a matter of time before getting hit somehow. Not being in the computer or security related fields puts ‘the rest of us’ so far out of the loop compared to people in your position one can’t help but just wait for something to get us that goes unnoticed as this article brings up. The extents I go through now just to hit the net is SO far from years ago and I’m not getting any younger so remembering to do everything that needs done every time some day is sure to expire :) (“But [a] it only takes one misjudgment”) Thanks for all you all do!

A small point I’m confused on. The DOJ says the malware was used in “logging a user’s keystrokes”. But the researcher, Wardle, said: “there were no ads, no keyloggers, or ransomware.” Which one is right? Was it a keylogger?

“Besides the creep factor, a stunning thing about Fruitfly is that it is both unsophisticated and relatively easy to spot, yet according to the DoJ, Durachinsky was able to use it undetected from 2003 until January 2017, when he was arrested and jailed on another charge. He remains in custody.”
Perhaps one of you could put together an article explaining how that could happen…?

Quick question, if anyone knows.
Will fruitfly disable the little green light next to the camera? I thought the cable that gives power to the camera is hardwired with the light so that software is not part of the equation, and that it does light up when the camera gets power or is enabled.
Sorry, I’ve heard so many times that hackers can disable the light without disabling the camera, but I have a hard time believing that theory if the connection is purely hardware based.

AFAIK, the answer (as so often in computer security) is, “It depends.” Apparently, some webcams have the LED controlled by camera power, so that the two turn on and off together. Others have the LED switchable independently, so that the camera can be on when the light is not. How to tell which sort of webcam is installed in your computer…well, I’m not sure how you can be sure, to be sure.
I’ve always assumed that my Mac has the light and the camera wired separately because the camera seems to control the brightness of the keyboard backlight. (Put your hand in front of the camera and the keyboard glow changes.) Therefore the camera must be able to deliver at least some data without the LED activating…

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?