Federal prosecutors say that Ohio man used MacOS malware that covertly operated cameras and mics and exfiltrated porn searches for 13 years

An indictment in the US District Court for the Northern District of Ohio's Eastern Division alleges that Phillip R Durachinsky created a strain of MacOS "creepware" called Fruitfly, which was able to covertly operate the cameras and microphones of infected computers as well as capturing and sharing porn searches from the infected machines; the indictment alleges that Durachinsky used the software for 13 years, targeting individuals, schools, and federal agencies including the Department of Energy.

The indictment accuses Durachinsky of secretly recording minors engaged in sexual activity and transmitting those recordings across state lines, and implies that Durachinsky trafficked in these images for profit. According to the indictment, Durachinsky also developed a Windows version of Fruitfly.

Durachinsky was 28 at the time of his indictment; if he is the author of Fruitfly, and if Fruitfly is really 13 years old, he was 15 at the time of its origination.

Wednesday's indictment largely confirms suspicions first raised by researchers at antivirus provider Malwarebytes, who in January 2017 said Fruitfly may have been active for more than a decade. They based that assessment on the malware's use of libjpeg—an open-source code library that was last updated in 1998—to open or create JPG-formatted image files. The researchers, meanwhile, identified a comment in the Fruitfly code referring to a change made in the Yosemite version of macOS and a launch agent file with a creation date of January 2015. Use of the old code library combined with mentions of recent macOS versions suggested the malware was updated over a number of years.

More intriguing still at the time, Malwarebytes found Windows-based malware that connected to the same control servers used by Fruitfly. The company also noted that Fruitfly worked just fine on Linux computers, arousing suspicion there may have been a variant for that operating system as well.

Last July, Patrick Wardle, a researcher specializing in Mac malware at security firm Synack, found a new version of Fruitfly. After decrypting the names of several backup domains hardcoded into the malware, he found the addresses remained available. Within two days of registering one of them, almost 400 infected Macs connected to his server, mostly from homes in the US.


USA vs Phillip R Durachinsky [US District Court for the Northern District of Ohio's Eastern Division]

Prosecutors say Mac spyware stole millions of user images over 13 years [Dan Goodin/Ars Technica]

(Image: Alanthebox, CC-BY-SA)