Mac Malware Tricks Users with Reversed Text

mac-flashback-3Mac users should think twice before downloading PDFs of uncertain origin: A new bit of spyware — under the guise “RecentNews.ppa.pdf” — is actually a nasty piece of malware that shrouds itself in a clever text-reversing trick.

Although compromised PDFs do exist, it’s much easier to spread malware through an executable application. Backdoor:Python/Janicab.A spreads itself through an app that’s easily mistaken for a harmless PDF document, according to a report from the Finnish security gurus at F-Secure Labs.

Unicode — a type of universal computer text in which every symbol has a unique number combination — has a functionality called “RTL” (right-to-left) that’s useful for languages like Arabic and Hebrew, in which words are read right to left but numbers are read left to right. By entering “U+220E” into a document, users can flip text direction at will.

This is good for the speakers of these languages, but even better for malicious hackers. “RecentNews.ppa.pdf” is not a PDF file at all, but rather anexecutable app: “” It’s a clever bit of visual trickery, made more convincing by its launching of a PDF of news highlights in Russian.

The PDF is just misdirection, though. The real meat and potatoes of “RecentNews” is the Janicab backdoor, which takes screenshots and records audio from the infected computer. Janicab can then send these files back to a command-and-control server run by exploiters. [See also: 13 Security and Privacy Tips for the Truly Paranoid]

Aside from the obvious privacy violation, you do not want your screenshots and audio in the hands of strange hackers. If you do your banking online, have a lot of friends in your contact lists or share personal information via Skype calls, these hackers could learn a lot of compromising information.

But don’t fear: Tricks like this one are relatively easy to avoid, even if they hide themselves with backward text. News articles generally move too fast to be stored as PDFs, and “RecentNews” without a date is meaningless. If those signs don’t raise a red flag, the added “ppa” in the file name should. In a normal PDF file, this text would be unnecessary.

If you do get infected with Janicab, a standard malware sweep will get rid of it. That kind of reversal is much better for your system.

This story was provided by TechNewsDaily, a sister site to Follow Marshall Honorof @marshallhonorof. Follow us @TechNewsDaily, on Facebook or on Google+.

Email* (will not be published)
*Indicates required field
Submit Comments

  1. Andrew Says:

    Looks like the days of the “invincible” Mac is over

All Product Types Accessories Cars Digital Camcorders Digital Cameras eReaders GPS Laptops MP3 & Video Players Projectors Smartphones Software Storage Tablets / MIDs VoIP Wi-Fi
All Subcategories
All Subcategories All-Purpose Budget Business Desktop Replacement Gaming Multimedia Netbook Nettop Rugged Student Tablet PCs Ultraportable
Acer Alienware Apple Archos ASUS Averatec BenQ CTL Corp. Dell Digital Storm eMachines Emtec Everex Fujitsu GammaTech Gateway General Dynamics Getac Gigabyte Hercules HP HTC iBuyPower Intel Lenovo MSI Nokia Nvidia OCZ OLPC OQO Origin Panasonic Sager Samsung Sony Sylvania Systemax TabletKiosk Toshiba Verizon Viewsonic Viliv VooDoo Workhorse PC ZT Systems
Minimum Rating
Any Rating 4.5 Stars 4.0 Stars 3.5 Stars 3.0 Stars
Screen Size
10 11 12 13 14 15 16 17 18 20 4 5 6 7 8 9
1024x576 1024x600 1024x768 1200X800 1280 x 720 1280x1024 1280x768 1280x800 1366x678 1366x768 1440x1050 1440x900 1600x768 1600x900 1680x1050 1680x945 1920x1080 1920x1200 800x400 800x480
Weight Range
10.1 - 12.0 pounds 12.1 - 14.0 pounds 14.1 - 16.0 pounds 2 lbs 2 pounds and under 2+ lbs 2.1 - 4.0 pounds 4.1 - 6.0 pounds 6.1 - 8.0 pounds 8.1 - 10.0 pounds Over 16 pounds Under 2 pounds
more options