Mac users should think twice before downloading PDFs of uncertain origin: A new bit of spyware — under the guise “RecentNews.ppa.pdf” — is actually a nasty piece of malware that shrouds itself in a clever text-reversing trick.
Although compromised PDFs do exist, it’s much easier to spread malware through an executable application. Backdoor:Python/Janicab.A spreads itself through an app that’s easily mistaken for a harmless PDF document, according to a report from the Finnish security gurus at F-Secure Labs.
Unicode — a type of universal computer text in which every symbol has a unique number combination — has a functionality called “RTL” (right-to-left) that’s useful for languages like Arabic and Hebrew, in which words are read right to left but numbers are read left to right. By entering “U+220E” into a document, users can flip text direction at will.
This is good for the speakers of these languages, but even better for malicious hackers. “RecentNews.ppa.pdf” is not a PDF file at all, but rather anexecutable app: “RecentNews.fdp.app.” It’s a clever bit of visual trickery, made more convincing by its launching of a PDF of news highlights in Russian.
The PDF is just misdirection, though. The real meat and potatoes of “RecentNews” is the Janicab backdoor, which takes screenshots and records audio from the infected computer. Janicab can then send these files back to a command-and-control server run by exploiters. [See also: 13 Security and Privacy Tips for the Truly Paranoid]
Aside from the obvious privacy violation, you do not want your screenshots and audio in the hands of strange hackers. If you do your banking online, have a lot of friends in your contact lists or share personal information via Skype calls, these hackers could learn a lot of compromising information.
But don’t fear: Tricks like this one are relatively easy to avoid, even if they hide themselves with backward text. News articles generally move too fast to be stored as PDFs, and “RecentNews” without a date is meaningless. If those signs don’t raise a red flag, the added “ppa” in the file name should. In a normal PDF file, this text would be unnecessary.
If you do get infected with Janicab, a standard malware sweep will get rid of it. That kind of reversal is much better for your system.