Considering keylogging threats in OS X

MacFixIT looks at how concerned Mac users should be about keylogging threats.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
4 min read

Periodically I get e-mails from readers wondering about various viruses and malware on OS X, especially given recent malware attempts like MacDefender that have disguised phishing schemes as fake antivirus software that scares users into installing it. Besides phishing schemes, viruses, and worms, some readers have asked about keyloggers and whether or not they are legitimate threats on OS X.

Malware for PC systems comes in all shapes and sizes in order to steal information, wreak havoc, or take control of systems, be it in the form of a phishing scheme like the MacDefender scare, as worms or viruses (of which there are none for OS X), as backdoors and other gateways behind network security infrastructure, or as spyware. Keyloggers are one type of spyware. They are used to capture user input sequences and send them to a remote location, such as an FTP server or an e-mail address. In this way, the logger can pick up potential usernames and passwords among other sensitive information.

So are there any keyloggers for OS X? The answer to this is yes; however, they are distributed as legitimate system-monitoring software packages that advertise the keylogging functionality as one of their key features. Examples include Spector Pro, SniperSpy, Aobo, and Amac. Some people may question the legitimacy of keylogging practices in general, but there are some potentially helpful uses, including monitoring unwanted system use and helping to recover a stolen Mac--the primary sales points for these packages. They can be used to oversee whether computer systems are being used in desired ways. Also, should a system be stolen, a keylogger in conjunction with other security software like LoJack may greatly help in determining the identity of the thief and retrieving the stolen property.

Controversy aside, people may wonder about the risk of keyloggers being used as malware, or distributed in scares similar to the recent MacDefender fake antivirus phishing scam.

It is technically possible for a malicious keylogger to be developed and distributed via a Trojan horse package. As with other malware in OS X, the risk of this is so far very low and there are no known instances of this type of threat. The keyloggers out there are legitimate tools, and while they technically could be used to exploit systems (similar to how any security camera could be used to spy on people), so far none have been distributed specifically as malware for OS X systems.

XProtect auto-update settings
Checking this box in the Security system preferences will keep Apple's XProtect system up-to-date.

In addition, OS X does a good job of preventing unauthorized applications from running, which is why there is currently no known virus or worm (self-propagating) malware for OS X. Apple also has implemented a rudimentary malware scanner in OS X, XProtect, which it updates to detect known malware like MacDefender and supposedly any keylogging malware should it surface in the future.

Despite these measures and the unlikelihood of keyloggers being distributed as malware, some people may be curious about how to detect the presence of keyloggers and other programs that send information to third-party recipients. OS X does come with a firewall to block unwanted network activity, but it only protects against incoming data, not outgoing. However, if you install an outgoing firewall such as Little Snitch on your system, you can detect what programs are attempting to send data to third-party sources, and block them if needed.

In addition to Little Snitch or other detectors, you can protect yourself from keylogging activity by minimizing the use of the keyboard to enter sensitive information that might be useful to a thief, which mainly includes authentication information and the Web sites for which you use this information. Set up your sensitive Web sites in a bookmark list so you won't need to type their URLs into your browser's address field, and use a password manager to securely store the authentication for these sites. Apple's keychain will hold authentication information for services and applications, but does not do so for many Web sites and Web forms. Using a secondary manager like 1Password for these sites is an easy way to avoid having to enter your passwords. Alternatively, you can save your passwords in a Secure Note in Apple's Keychain Access utility and then copy and paste them into your browser to avoid typing them.

Overall, the threat from keyloggers is virtually nil on Mac systems; again, they definitely do exist, but so far only as legitimate software packages.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.