New Mac Malware “Cuckoo” Can Take Screenshots of Your Desktop and Other Creepy Actions

Mac users beware. New malware is hiding among third-party apps and can steal your sensitive data. Everything from your Mac’s hardware information to your saved notes and passwords can be stolen. It can even capture screenshots of your computer while you’re using it.

This malware was named Cuckoo by Kandji, an Apple device security company that recently released a report on his discovery. Here are some of the most alarming details about Coucou.

Where Cuckoo was found hiding

According to Kandji’s report, Cuckoo was initially found with a Spotify music download app called “DumpMedia Spotify Music.” The app claims to help users extract music from Spotify so that they can directly download the audio file in MP3 format.

However, upon further investigation, Cuckoo was discovered along with a number of other third-party music download apps and backup software for iPhone/Android distributed by websites such as “tunesolo”.[.]com, foundog[.]com, tunesfun[.]com, tunefab[.]com.”

The report focuses on the DumpMedia Spotify Music app, where Cuckoo was first discovered, and presents some interesting details. For example, after downloading most legitimate Mac applications distributed outside of the official Apple App Store, the user is usually asked to drag the application from the .DMG file to the Applications folder of the computer. However, in the case of DumpMedia Spotify Music, the user is prompted to right-click the app and choose “Open”.

From there, the malware starts collecting information about the host device. The Mac user who initiated the download would be none the wiser, however, as Kandji’s report notes that DumpMedia Spotify Music does the installation and opening in order to hide the malware.

What is Cuckoo stealing?

Once the user installs the DumpMedia Spotify Music app, Cuckoo gets to work.

According to Kandji, Cuckoo gathers details about the Mac’s hardware, as well as information about installed applications and running processes on the computer.

Cuckoo can also steal a substantial amount of user information on Mac. It extracts data from Apple Notes and messaging apps including Discord and Telegram.

It can collect web browsing history and Safari cookies, as well as sensitive data stored in iCloud Keychain. Cuckoo can also retrieve data in real time, as it can take screenshots without the user knowing that their current screen is being recorded.

Kandji says the malware can target older Intel-based Macs as well as newer Silicon Macs (M1, M2, M3, etc.).

All but one of the apps that contained the Cuckoo malware were registered under a “valid developer ID of Yian technology Shenzhen Co., Ltd.” The developer ID of Fonedog was linked to a developer ID of FoneDog technology Limited. Kandji believes there are other websites and applications hosting the Cuckoo malware that have not yet been discovered.

Mac users should proceed with caution when downloading applications from unknown third-party developers.