New ReiKey app can detect macOS keyloggers
Patrick Wardle, a former NSA hacker who in recent years has become the de-facto expert on everything Mac malware, has created and released a Mac app that can detect certain types of macOS keyloggers.
Named ReiKey [GitHub], Wardle created and released this new app towards the end of 2018, as the researcher started looking into the inner workings of macOS keyloggers [1, 2].
“The majority of macOS malware that contains keylogger logic (to capture keypresses) does so via CoreGraphics ‘event taps’,” said Wardle.
ReiKey was specifically created to work around this common keylogger design pattern. Wardle’s app works by continuously scanning the operating system for newly registered CoreGraphics event taps.
When ReiKey detects any app that registers a new CoreGraphics event tap, it shows a popup notification with information about the suspicious process that created so that the user can look into and determine if this originated from a legitimate or malicious process.
Image: Patrick Wardle
In some cases, these notifications will be false positives, as some apps with accessibility features or that respond to various keyboard commands will also use CoreGraphics event taps to respond to user input. One such example is Siri.
However, very few macOS apps tend to use event taps, and ReiKey is the perfect app to have your back when installing new or never-before-used apps.
If the app installs an event tap for which it doesn’t have a reason to do so, then the user should either look into the app’s features for an explanation or consider using an alternative app.
By default, ReiKey runs all the time in the OS’ background and listens to newly registered event taps, but it can also scan a system on demand for any processes that have already installed a CoreGraphics keyboard event tap.
Users can trigger the on-demand all-system scan from the ReiKey icon (by clicking the “Scan…” option), or they can use ReyKey from the command-line. Screenshots of these features and more are available below:
Image: Patrick Wardle
Image: Patrick Wardle
Image: Patrick Wardle
Image: Patrick Wardle
Users should be aware that ReiKey doesn’t detect all types of macOS keyloggers, as some of these might be using other methods for recording keystrokes. Nonetheless, because it’s a free app, it’s a solid alternative for Mac users who can’t afford a full-blown antivirus.
ReiKey is just the latest app released under the Objective-See brand of Mac security and privacy apps. Other free Mac security apps that Wardle has released in the past under this brand include LuLu (firewall), Do Not Disturb (evil maid protection), KnockKnock (detection of persistently installed Mac software), RansomWhere (ransomware detection and protection), OverSight (detection of Mac malware that records audio and video sessions), and many other more.
Wardle is also the man behind the Objective by the Sea conference, one of the few security conferences focused on Mac malware. Talks and slides from the conference’s first edition are available here.
Related coverage:
READ MORE HERE